Bug 49941 – Disable pam_systemd by default (4.3)

Bug 49941 - Disable pam_systemd by default (4.3)


Summary:	Disable pam_systemd by default (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	PAM
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-4-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:	https://serverfault.com/questions/706...
Keywords:	systemd

Depends on:	47233 49614 49910
Blocks:
	Show dependency tree / graph

Reported:	2019-07-31 09:34 CEST by Philipp Hahn
Modified:	2019-07-31 14:25 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019073021000848
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2019-07-31 09:34:06 CEST

+++ This bug was initially created as a clone of Bug #49910 +++

With Bug #47233 we enabled pam_systemd to terminate ssh sessions when the server reboots or is shut down.
Unfortunately this has two negative side effects:

- for each user a `systemd --user` is started, which remains even after exit. On servers (running Samba) this leads to many extra processes consuming valuable system resources like RAM and already lead to processes being killed by OOM.

- for each session the modules creates a new CGroup, which "leaks" memory in the Linux kernel (Bug #49614): In-kernel memory structures are still associated with the CGroup even after all processes have terminated, which prevents the CGroup from being freed finally.

1. Disable the PAM module by default
2. Add a new UCR variable to enable it on demand.

Comment 1 Philipp Hahn

2019-07-31 09:45:28 CEST

[4.3-4] 2d2d854ac3 Bug #49910 pam: Disable pam_systemd by default
 .../conffiles/etc/pam.d/common-session.d/10univention-pam_common    | 2 +-
 base/univention-pam/debian/changelog                                | 6 ++++++
 .../univention-pam/debian/univention-pam.univention-config-registry | 1 +
 .../debian/univention-pam.univention-config-registry-variables      | 6 ++++++
 4 files changed, 14 insertions(+), 1 deletion(-)

Package: univention-pam
Version: 11.0.1-6A~4.3.0.201907310938
Branch: ucs_4.3-0
Scope: errata4.3-4

QA:
 apt install univention-pam=11.0.1-6A~4.3.0.201907310938
 grep --color pam_systemd /etc/pam.d/common-session
 ucr set pam/session/systemd=1
 grep --color pam_systemd /etc/pam.d/common-session
 ucr set pam/session/systemd=0
 grep --color pam_systemd /etc/pam.d/common-session
 ucr unset pam/session/systemd
 grep --color pam_systemd /etc/pam.d/common-session

[4.3-4] 0e4c3e1da1 Bug #49941: univention-pam 11.0.1-6A~4.3.0.201907310938
 doc/errata/staging/univention-pam.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comment 2 Arvid Requate

2019-07-31 11:31:46 CEST

Verified:
* Patch backport
* Package update
* Functional test
* Advisory

Comment 3 Arvid Requate

2019-07-31 14:25:39 CEST

<http://errata.software-univention.de/ucs/4.3/555.html>