[Bug 67276] Re: pam_unix returns incorrect return value when not run as root

[Steve Langasek]

Jerome, I'm sure you're out there, I just saw you on #multiarch ;)  Can
you please comment whether this is still an issue with current versions
of pam_unix?

** Changed in: pam (Ubuntu)
       Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/67276

Title:
  pam_unix returns incorrect return value when not run as root

Status in “pam” package in Ubuntu:
  Incomplete

Bug description:
  In attempting to fix bug #43465 I have stumbled across this additional
  issue.

  My common-auth file follows:

  auth [default=die success=done authinfo_unavail=reset] pam_unix.so debug
  auth [default=die success=1 service_err=reset auth_err=die] pam_krb5.so use_first_pass debug forwardable
  auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
  auth [default=done] pam_ccreds.so action=store use_first_pass

  The basic idea here is that pam_unix should return success only when
  it is successful, and the process should exit successfully. If
  pam_unix returns "authinfo_unavail", which basically indicates that no
  password is assigned to this user locally or in shadow, the stack
  should proceed to the next module. Any other exit value, such as
  auth_err, should result in immediate termination.

  When run with login, ssh, gdm, and most other pam applications, this
  works exactly as expected.

  When run from gnome-screensaver, while trying to unlock the screen,
  this does not work.

  The difference is that gnome-screensaver does not run as root. I
  suspect this improperly alters the exit code. Even when run as non-
  root, the exit code should still be the same, there is no local shadow
  entry for this user and he does not appear in /etc/passwd. He is
  delivered by nss_ldap.

  This bug is blocking the network-authentication spec.