Your message dated Mon, 26 Apr 2010 18:40:22 +0200
with message-id <[email protected]>
and subject line Re: cron's default PAM file has 'required' lines after @include
has caused the Debian Bug report #273631,
regarding cron's default PAM file has 'required' lines after @include
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
273631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273631
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cron
Version: 3.0pl1-86
Severity: normal
/etc/pam.d/cron file that is provided by the package has 'required' lines
after @include:
...
@include common-auth
auth required pam_env.so
...
ans so on.
AFAIK, coomon-auth is the place where things like LDAP auth should be
set up. However, such things often have 'sufficient' statements (e.g.
it's sufficient to have user account in unix files, and if it is not
there, it must by in ldap).
As soon as one 'sufficient' line in included file matches, no more
modules will run. So 'required' lines should not be after @include.
-- System Information:
Debian Release: 3.0
APT prefers testing
APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7-smp
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R
Versions of packages cron depends on:
ii adduser 3.59 Add and remove users and groups
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Steve Langasek wrote:
> Now that /etc/pam.d/common-* are managed by pam-auth-update (squeeze and
> above), I think this bug can probably be closed: no PAM module profile
> should ever be using 'sufficient', and users are unlikely to be editing
> these files by hand going forward.
>
> It might be reasonable for /etc/pam.d/cron to move the pam_limits line ahead
> of the 'include common-session' line in any case, but I don't think it's a
> very significant bug if you don't.
I'm going to follow your advice and close this bug.
I'll be reviewing the Debian packaging next week (when I'm finally done
with the source bugs). I'll include your recommendation about pam_limits
then.
Thanks,
Christian
signature.asc
Description: OpenPGP digital signature
--- End Message ---
