[Bug 962560] Re: pam-auth-update Account-Type should be "Additional"

Russ Allbery rra at debian.org
Mon Mar 26 16:41:25 UTC 2012 

This analysis looks right to me, and I think may run deeper than just
this one module.  If every account module should be additional and not
primary, I think that points to an error in the data model or
interpretation of the data model, rather than in individual PAM
configurations.  And viewing the account stack as a guantlet of denials
where one should therefore not skip modules makes sense to me.

Modules doing account checks for which the auth check never ran and
which therefore cannot do anything meaningful (not the case for
pam_ldap, where the auth and account checks are unrelated, but the case
for things like pam-krb5) should return PAM_IGNORE on account if they're
not meaningful.  And indeed pam-krb5 already does.

Adding libpam-runtime to get the opinion of the pam-auth-update author.

** Also affects: pam (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/962560

Title:
  pam-auth-update Account-Type should be "Additional"

Status in “libpam-ldap” package in Ubuntu:
  New
Status in “pam” package in Ubuntu:
  New

Bug description:
  Currently, libpam-ldap provides a pam-auth-update stub that inserts
  pam_ldap into the authorization stack as Account-Type: Primary.

  Unfortunately, this means that, should pam_unix (also Account-Type:
  Primary) succeed, pam_ldap will never be checked.  It also means that
  anything wishing to conflict with pam_ldap by providing a stub with
  "Conflicts: ldap" and a properly-behaving "Account-Type: Additional"
  will not actually end up conflicting with the misplaced pam_ldap.

  In general, while the "Auth" stack is permissive (once one succeeds,
  the user has proven their identity, there's no sense in running
  additional authentication checks, so you skip checking the rest and
  just let the user through) and are thus perfectly suited to be Auth-
  Type: Primary, the "Account" (authorization) stack is essentially a
  gauntlet of potential denials, meaning every single PAM module should
  be run (Account-Type: Additional) to check for an authorization
  failure, even if others have already succeeded.

  See Debian bugs #583483, #583492, and especially response #20 to
  Debian bug #610888.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610888#20

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/962560/+subscriptions

More information about the foundations-bugs mailing list