FS#40633 - [util-linux] su does not use system-auth in PAM stack

Attached to Project: Arch Linux
Opened by Robin McCorkell (Xenopathic) - Sunday, 01 June 2014, 15:00 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 12:13 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

su uses its own PAM stack that only checks pam_unix.so, which does not work for additional PAM modules such as LDAP or SSSD. su should include the system-auth stack, either directly or through system-local-login, to ensure that all valid modules are being run.

This may also be useful to change in other PAM files, such as the ch* utilities and passwd.
This task depends upon

Closed by  freswa (frederik)
Sunday, 13 September 2020, 12:13 GMT
Reason for closing:  Works for me
Additional comments about closing:  Can be configured in /etc/pam.d/su ...
Comment by Doug Newgard (Scimmia) - Friday, 15 May 2015, 03:31 GMT
ping falconindy...
Comment by Olivier Médoc (oliv) - Tuesday, 24 November 2015, 18:38 GMT
Same problem appears in Qubes-OS project that calls a graphical X11 session using su.

As a consequence, I have to change PAM configuration of su and su-l using the following script:

# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
echo "Fixing pam.d"
sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
cp /etc/pam.d/su /etc/pam.d/su-l
fi

It should be noted that the package nodm apparently fails to start a valid loginctl session probably for the same reason (I will validate that on next reboot).

Loading...