[Bug 962560] Re: pam-auth-update Account-Type should be "Additional"
Russ Allbery
rra at debian.org
Mon Mar 26 16:44:05 UTC 2012
Ah, in fact, I see comment #20 mentioned above is from Steve.
Steve, when would you ever want to have an account type of Primary given
those semantics? Shouldn't Primary just be treated the same as
Additional for the account stack?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/962560
Title:
pam-auth-update Account-Type should be "Additional"
Status in “libpam-ldap” package in Ubuntu:
New
Status in “pam” package in Ubuntu:
New
Bug description:
Currently, libpam-ldap provides a pam-auth-update stub that inserts
pam_ldap into the authorization stack as Account-Type: Primary.
Unfortunately, this means that, should pam_unix (also Account-Type:
Primary) succeed, pam_ldap will never be checked. It also means that
anything wishing to conflict with pam_ldap by providing a stub with
"Conflicts: ldap" and a properly-behaving "Account-Type: Additional"
will not actually end up conflicting with the misplaced pam_ldap.
In general, while the "Auth" stack is permissive (once one succeeds,
the user has proven their identity, there's no sense in running
additional authentication checks, so you skip checking the rest and
just let the user through) and are thus perfectly suited to be Auth-
Type: Primary, the "Account" (authorization) stack is essentially a
gauntlet of potential denials, meaning every single PAM module should
be run (Account-Type: Additional) to check for an authorization
failure, even if others have already succeeded.
See Debian bugs #583483, #583492, and especially response #20 to
Debian bug #610888.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610888#20
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/962560/+subscriptions
More information about the foundations-bugs
mailing list