110418 – default pam configuration doesn't honour /etc/nologin

Bug 110418 - default pam configuration doesn't honour /etc/nologin

Summary: default pam configuration doesn't honour /etc/nologin

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	PAM Gentoo Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-10-25 02:21 UTC by Felix Braun
Modified:	2006-01-16 07:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Braun 2005-10-25 02:21:07 UTC

If /etc/nologin exists users are still allowed to log in, the message is not
displayed.

Reproducible: Always
Steps to Reproduce:
1. echo "Testing" >/etc/nologin
2. try to log in


Actual Results:  
You successfully log in

Expected Results:  
If you're root /etc/nologin gets displayed but you are still logged in,
otherwise access should be denied.

Portage 2.0.53_rc6 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.5-r2,
2.6.13.4 i686)
=================================================================
System uname: 2.6.13.4 i686 AMD Athlon(TM) XP 2200+
Gentoo Base System version 1.12.0_pre9
distcc[26714] (dcc_trace_version) distcc 2.18.3 i686-pc-linux-gnu; built Aug  9
2005 10:58:21 [disabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -fweb -frename-registers"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -fweb -frename-registers"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://pandemonium.tiscali.de/pub/gentoo/
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://gentoo.mirror.icd.hu/"
LANG="de_DE.UTF-8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/got"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac acpi alsa apache2 audiofile avi berkdb bitmap-fonts bzlib
caps cdparanoia cdr cjk crypt cups curl dbus dv dvd dvdread emboss encode exif
ffmpeg flac foomaticdb gdbm gif gstreamer gtk gtk2 guile hal imagemagick imap
imlib java jpeg libg++ libwww mad mikmod mmap mmx mp3 mpeg ncurses nls nptl
nsplugin offensive ogg oggvorbis opengl pam pdflib perl png python quicktime
readline sdl shared sharedmem slang speex spell sse ssl svg tcpd tetex theora
tiff truetype truetype-fonts type1-fonts udev unicode usb vorbis win32codecs wmf
x86 xface xml2 xmms xv xvid zh_TW zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS

Comment 1 Felix Braun 2005-10-25 03:44:14 UTC

The documentation at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.17 says
that pam_nologin.so should be called *before* any sufficient methods. However
the current default config calles pam_nologin as the *last* module in the auth
stack.

Comment 2 Felix Braun 2006-01-16 07:21:18 UTC

This problem seems to have gone away by itself :-/