> 
> > Here are the modified pam files, all the others are left untouched,
> 
> Ok, sure; in that case the "sufficient + sufficient" is not the complete
> stack, and the return value is controlled by the presence of other PAM
> modules listed in the per-service config files (/etc/pam.d/login and
> /etc/pam.d/gdm) which, though relevant, are not sufficient to ensure that
> unauthorized users don't gain access.
>

Right, the required pam_nologin I guess.

So in light to this maybe configuration might be improved (like with
pam_deny) to prevent this kind of mistakes to have nasty effect. Of course
it's best to praise better understanding when messing with PAM conf (which is
always a nasty thing to do) but it wouldn't hurt imho. Anyway, you decide.

> > Btw, the decision upong ignore return code opposed to bad/die is entirely
> > delegated to the application, and not to pam itself.
> 
> Sorry, not true.  PAM_IGNORE is not a valid return value from any of the
> pam_* API calls according to the spec, and Linux-PAM does translate a stack
> result of "ignore" to a return value of PAM_PERM_DENIED before returning to
> the caller.
>

Yes it looks you are right, my mistake. Sorry for the confusion.

-- 
pam configuration could use safer defaults
https://bugs.launchpad.net/bugs/152912
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to