Package: libpam-script Version: 1.1.6-1 Severity: grave Hi,
I am using libpam-script to execute a script in debian-lan when a user logs in. Now, with the move to wheezy, I can log in as root with no password given at the prompt. The reason is, that the script pam_script_auth exits with 0, which is 'sufficient' for login with the patch from #670182. Before I was using 'auth optional pam_script.so' in /etc/pam.d/common-auth as documented in /usr/share/doc/libpam-script/examples/README.examples : For Ubuntu/Debian: cat >>/etc/pam.d/common-account <<! account optional pam_script.so ! cat >>/etc/pam.d/common-auth <<! auth optional pam_script.so ! cat >>/etc/pam.d/common-password <<! password optional pam_script.so ! cat >>/etc/pam.d/common-session <<! session optional pam_script.so ! >From reading the docs, I do not expect that the successfull execution of my script is sufficient to log in (as root without password) by default. Cf. /usr/share/doc/libpam-script/README : Description: PAM-script allows you to execute scripts during authorization, passwd changes, or session opening or closing. So if you need extra work done after login you can use this pam module to execute a session script So I would like to strongly suggest to modify the patch from #670182 and use either 'optional' or 'required' in the pam stack and not 'sufficient' by default. Best regards, Andi -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-script depends on: ii libc6 2.19-9 ii libpam0g 1.1.8-3.1 libpam-script recommends no packages. libpam-script suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org