runuser doesn't authenticate PAM modules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
util-linux (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
We use the pam_localuser.so PAM module to authenticate only local users for root to become.
Because we don't want that root can become a domain user (as we use sssd with ad integration).
This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su and runuser:
auth required pam_localuser.so
As I have found out, this behaviour can easily be changed by applying the following patch:
diff -urN util-linux-
--- util-linux-
+++ util-linux-
@@ -709,7 +709,6 @@
*/
if (su->restricted)
- return;
}
rc = pam_authenticat
And it works as expected:
# runuser domainuser
runuser: Permission denied
However, we would always need to recompile util-linux as new security updates come out.
Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this upstream.
The attachment "util-linux_ 2.31.1_ runuser_ pam.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]