pam_unix returns incorrect return value when not run as root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
In attempting to fix bug #43465 I have stumbled across this additional issue.
My common-auth file follows:
auth [default=die success=done authinfo_
auth [default=die success=1 service_err=reset auth_err=die] pam_krb5.so use_first_pass debug forwardable
auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store use_first_pass
The basic idea here is that pam_unix should return success only when it is successful, and the process should exit successfully. If pam_unix returns "authinfo_unavail", which basically indicates that no password is assigned to this user locally or in shadow, the stack should proceed to the next module. Any other exit value, such as auth_err, should result in immediate termination.
When run with login, ssh, gdm, and most other pam applications, this works exactly as expected.
When run from gnome-screensaver, while trying to unlock the screen, this does not work.
The difference is that gnome-screensaver does not run as root. I suspect this improperly alters the exit code. Even when run as non-root, the exit code should still be the same, there is no local shadow entry for this user and he does not appear in /etc/passwd. He is delivered by nss_ldap.
This bug is blocking the network-
This is confirmed