libpam-runtime: /etc/pam.d/common-auth bug?
Patrick Goetz
pgoetz at mail.utexas.edu
Thu Apr 22 17:10:53 UTC 2010
This list is actually cited as the package maintainer in the package
status for libpam-runtime, so I thought I would run this by here first
before filing a bug against the package just in case I'm terribly confused.
Both in the /usr/share/pam/common-auth template and in various
instantiations of this I've looked at one finds the following in the
middle of the common-auth file:
-------------------
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
$auth_additional
# end of pam-auth-update config
-------------------
Am I missing something? My understanding of how pam works indicates
that the line:
auth requisite pam_deny.so
is the end of the road for all further processing, since requisite
returns fail instantly upon failure and pam_deny always returns failure.
Anything beyond this is consequently superfluous, so given that there
is stuff afterwards (e.g. pam_permit), this is probably not the package
maintainer's intention. Most people are not going to notice this because
pam_unix.so/pam_ldap.so auth processing occurs before the pam_deny line.
More information about the Ubuntu-devel-discuss
mailing list