The attachment "util-linux_2.31.1_runuser_pam.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1804417 Title: runuser doesn't authenticate PAM modules Status in util-linux package in Ubuntu: New Bug description: We use the pam_localuser.so PAM module to authenticate only local users for root to become. Because we don't want that root can become a domain user (as we use sssd with ad integration). This works well with the su program, but fails with runuser. We added the following in front of pam_rootok.so in the files /etc/pam.d/su and runuser: auth required pam_localuser.so As I have found out, this behaviour can easily be changed by applying the following patch: diff -urN util-linux-2.31.1/login-utils/su-common.c util-linux-2.31.1/login-utils/su-common.c --- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733 +0100 +++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830 +0100 @@ -709,7 +709,6 @@ */ if (su->restricted) errx(EXIT_FAILURE, _("may not be used by non-root users")); - return; } rc = pam_authenticate(su->pamh, 0); And it works as expected: # runuser domainuser runuser: Permission denied However, we would always need to recompile util-linux as new security updates come out. Could this please be applied to the Ubuntu repository and backported for bionic? I will contact the util-linux maintainer separately in order to get this upstream. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1804417/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
