Package: libpam-script
Version: 1.1.6-1
Severity: grave
Hi,
I am using libpam-script to execute a script in debian-lan when a user
logs in. Now, with the move to wheezy, I can log in as root with no
password given at the prompt.
The reason is, that the script pam_script_auth exits with 0, which is
'sufficient' for login with the patch from #670182. Before I was
using 'auth optional pam_script.so' in /etc/pam.d/common-auth as
documented in /usr/share/doc/libpam-script/examples/README.examples :
For Ubuntu/Debian:
cat >>/etc/pam.d/common-account <<!
account optional pam_script.so
!
cat >>/etc/pam.d/common-auth <<!
auth optional pam_script.so
!
cat >>/etc/pam.d/common-password <<!
password optional pam_script.so
!
cat >>/etc/pam.d/common-session <<!
session optional pam_script.so
!
>From reading the docs, I do not expect that the successfull execution
of my script is sufficient to log in (as root without password) by
default. Cf. /usr/share/doc/libpam-script/README :
Description:
PAM-script allows you to execute scripts during authorization,
passwd changes, or session opening or closing.
So if you need extra work done after login you can use this
pam module to execute a session script
So I would like to strongly suggest to modify the patch from #670182 and use
either
'optional' or 'required' in the pam stack and not 'sufficient' by default.
Best regards,
Andi
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-script depends on:
ii libc6 2.19-9
ii libpam0g 1.1.8-3.1
libpam-script recommends no packages.
libpam-script suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
