Return only PAM_IGNORE or error from pam_motd
Bug #1856703 reported by
Balint Reczey
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
tags: | added: id-5d78fc6cca6d1b77a77952cc |
To post a comment you must log in.
[ Impact ]
* In highly unlikely non-default configuration pam_motd may be configured to influence PAM's authentication and reporting PAM_SUCCESS may let users in the system.
* The fix is returning only PAM_IGNORE and error values.
[ Test Case ]
* Configure PAM to deny access when pam_motd returns PAM_SUCCESS:
$ cat /etc/pam.d/login
... motd.dynamic
session [success=die ignore=ignore] pam_motd.so motd=/run/
...
* Try to log in:
# login ubuntu
* Observe being able to log in due to pam_motd not returning PAM_SUCCESS
[Regression Potential]
* Minimal this is a fix partially reverting the behaviour change that was found undesired in LP: #1855092 . The return value of pam_motd is ignored in real-world configurations, thus it does not matter.