https://bugs.kde.org/show_bug.cgi?id=371067
Bug ID: 371067
Summary: pam_kwallet.so erroneously creates home directories
Product: kwallet-pam
Version: 5.5.5
Platform: Kubuntu Packages
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: c.p.a.van...@uu.nl
I am in the process of configuring a system wherein users' home directories are
created via the session pam module pam_mkhomedir.so. However, the module
pam_kwallet*.so creates the home directory before the common-session pam
modules are activated.
Having pam_kwallet*.so create the home directory results in the home
directories having incorrect permissions and the default copy from /etc/skel/
being ignored. A better solution would be to have the pam_kwallet.so fail
gracefully if the home directory does not exist yet.
I am using SDDM as login/display manager (pam config in additional info).
Reproducible: Always
Steps to Reproduce:
1. Use sddm (or another display manager with PAM auth set up with pam_kwallet)
to login when no homefolder for said user exists yet
Actual Results:
pam_kwallet*.so creates the home directory with default umask (distro
dependend) and pretty empty considering it ignores /etc/skel/.
Expected Results:
pam_kwallet*.so fails gracefully letting the rest of the session stack handle
the creation of the home directory.
I am running the following related packages on kubuntu 16.04.03
SDDM package : 0.13.0-1ubuntu5
libpam-kwallet4: 4:5.5.5-0ubuntu1
libpam-kwallet5: 4:5.5.5-0ubuntu1
/etc/pam.d/sddm contains:
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
# auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet.so
-auth optional pam_kwallet5.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# Create a new session keyring.
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_loginuid.so
session required pam_systemd.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet.so auto_start
-session optional pam_kwallet5.so auto_start
@include common-password
# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.
# Load environment from /etc/environment
session required pam_env.so
# Load environment from /etc/default/locale
session required pam_env.so envfile=/etc/default/locale
in common-session pam_kwallet?.so should fail gracefully if the user home
directory does not yet exist.
--
You are receiving this mail because:
You are watching all bug changes.
