FS#40633 - [util-linux] su does not use system-auth in PAM stack
Attached to Project:
Arch Linux
Opened by Robin McCorkell (Xenopathic) - Sunday, 01 June 2014, 15:00 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 12:13 GMT
Opened by Robin McCorkell (Xenopathic) - Sunday, 01 June 2014, 15:00 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 12:13 GMT
|
Details
su uses its own PAM stack that only checks pam_unix.so,
which does not work for additional PAM modules such as LDAP
or SSSD. su should include the system-auth stack, either
directly or through system-local-login, to ensure that all
valid modules are being run.
This may also be useful to change in other PAM files, such as the ch* utilities and passwd. |
This task depends upon
Closed by freswa (frederik)
Sunday, 13 September 2020, 12:13 GMT
Reason for closing: Works for me
Additional comments about closing: Can be configured in /etc/pam.d/su ...
Sunday, 13 September 2020, 12:13 GMT
Reason for closing: Works for me
Additional comments about closing: Can be configured in /etc/pam.d/su ...
As a consequence, I have to change PAM configuration of su and su-l using the following script:
# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
echo "Fixing pam.d"
sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
cp /etc/pam.d/su /etc/pam.d/su-l
fi
It should be noted that the package nodm apparently fails to start a valid loginctl session probably for the same reason (I will validate that on next reboot).