Arch Linux

Description:

The settings of /etc/pam.d/sudo are incomplete to allow authentication without defaulting to /etc/pam.d/other.

If you change /etc/pam.d/other to default deny then you will get the following error.

$ sudo pacman -Syu
[sudo] password for rking:
sudo: account validation failure, is your account locked?

This can be fixed by changing the following to /etc/pam.d/sudo:

== orig sudo ==

#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so


== modified sudo ==

#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login


This allows users to change default other policy to deny such as:

#%PAM-1.0
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so



Additional info:
* package version(s)

$ pacman -Qi pambase
Name : pambase
Version : 20130928-1
Description : Base PAM configuration for services
Architecture : any
URL : http://www.archlinux.org
Licenses : GPL
Groups : None
Provides : None
Depends On : None
Optional Deps : None
Required By : pam
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 2.00 KiB
Packager : Thomas Bächler <thomas@archlinux.org>
Build Date : Sat 28 Sep 2013 02:23:48 PM PDT
Install Date : Wed 04 Dec 2013 06:04:21 PM PST
Install Reason : Installed as a dependency for another package
Install Script : No
Validated By : Signature


* config and/or log files etc.


Steps to reproduce:

1. change /etc/pam.d/other to default of deny
2. try to use sudo. It does not authenticate.
3. Add system-local-login include to /etc/pam.d/sudo to allow authentication.