> > > Here are the modified pam files, all the others are left untouched, > > Ok, sure; in that case the "sufficient + sufficient" is not the complete > stack, and the return value is controlled by the presence of other PAM > modules listed in the per-service config files (/etc/pam.d/login and > /etc/pam.d/gdm) which, though relevant, are not sufficient to ensure that > unauthorized users don't gain access. >
Right, the required pam_nologin I guess. So in light to this maybe configuration might be improved (like with pam_deny) to prevent this kind of mistakes to have nasty effect. Of course it's best to praise better understanding when messing with PAM conf (which is always a nasty thing to do) but it wouldn't hurt imho. Anyway, you decide. > > Btw, the decision upong ignore return code opposed to bad/die is entirely > > delegated to the application, and not to pam itself. > > Sorry, not true. PAM_IGNORE is not a valid return value from any of the > pam_* API calls according to the spec, and Linux-PAM does translate a stack > result of "ignore" to a return value of PAM_PERM_DENIED before returning to > the caller. > Yes it looks you are right, my mistake. Sorry for the confusion. -- pam configuration could use safer defaults https://bugs.launchpad.net/bugs/152912 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs