https://bugs.kde.org/show_bug.cgi?id=371067
Bug ID: 371067 Summary: pam_kwallet.so erroneously creates home directories Product: kwallet-pam Version: 5.5.5 Platform: Kubuntu Packages OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: general Assignee: plasma-b...@kde.org Reporter: c.p.a.van...@uu.nl I am in the process of configuring a system wherein users' home directories are created via the session pam module pam_mkhomedir.so. However, the module pam_kwallet*.so creates the home directory before the common-session pam modules are activated. Having pam_kwallet*.so create the home directory results in the home directories having incorrect permissions and the default copy from /etc/skel/ being ignored. A better solution would be to have the pam_kwallet.so fail gracefully if the home directory does not exist yet. I am using SDDM as login/display manager (pam config in additional info). Reproducible: Always Steps to Reproduce: 1. Use sddm (or another display manager with PAM auth set up with pam_kwallet) to login when no homefolder for said user exists yet Actual Results: pam_kwallet*.so creates the home directory with default umask (distro dependend) and pretty empty considering it ignores /etc/skel/. Expected Results: pam_kwallet*.so fails gracefully letting the rest of the session stack handle the creation of the home directory. I am running the following related packages on kubuntu 16.04.03 SDDM package : 0.13.0-1ubuntu5 libpam-kwallet4: 4:5.5.5-0ubuntu1 libpam-kwallet5: 4:5.5.5-0ubuntu1 /etc/pam.d/sddm contains: #%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so auth required pam_succeed_if.so user != root quiet_success # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth # gnome_keyring breaks QProcess -auth optional pam_gnome_keyring.so -auth optional pam_kwallet.so -auth optional pam_kwallet5.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Create a new session keyring. session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_loginuid.so session required pam_systemd.so @include common-session # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet.so auto_start -session optional pam_kwallet5.so auto_start @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. # Load environment from /etc/environment session required pam_env.so # Load environment from /etc/default/locale session required pam_env.so envfile=/etc/default/locale in common-session pam_kwallet?.so should fail gracefully if the user home directory does not yet exist. -- You are receiving this mail because: You are watching all bug changes.