Starting with sys-apps/util-linux-2.29 the Gentoo ebuild installs the PAM configuration for runuser (see #484754). To make things consistent the util-linux ebuild should also install the PAM configuration for su and su-l. Currently /etc/pam.d/su-l is installed by no ebuild and /etc/pam.d/su is installed by sys-auth/pambase. If that is too much hassle, I suggest adding a su-l config file to pambase.
Now that (thanks to bug #699930) is possible to use su from sys-apps/util-linux this bug started to actually bite: server ~ # su --login su: Authentication failure This is because su from sys-apps/util-linux uses /etc/pam.d/su-l file when starting a login shell, but sys-auth/pambase only installs /etc/pam.d/su. Either sys-auth/pambase should install /etc/pam.d/su-l file or sys-apps/util-linux[su] should do so.
(In reply to Maciej S. Szmigiero from comment #1) > server ~ # su --login > su: Authentication failure I am having the same problem : su from shadow actually works, but su from util-linux does not.
Created attachment 626370 [details, diff] simple ebuild addition a small change to the ebuild and a su-l file from Debian fixes su.
Created attachment 626372 [details] sample su-l pam file, I grabbed this one from Debian somewhere
I doubt proposed difference with /etc/pam.d/su is a good idea: session optional pam_keyinit.so force revoke Here is what pam_keyinit(8) says: This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this.
(In reply to Alex Efros from comment #5) > I doubt proposed difference with /etc/pam.d/su is a good idea: > > session optional pam_keyinit.so force revoke > > Here is what pam_keyinit(8) says: > > This module should not, generally, be invoked by programs like su, > since it is usually > desirable for the key set to percolate through to the alternate > context. The keys have > their own permissions system to manage this. " -, -l, --login Provide an environment similar to what the user would expect had the user logged in directly." so with the su-l file being used for this purpose, it sounds reasonable to have the session keyring replaced unconditionally (force) and for that new keyring to go away when it exits (revoke). Though I don't really know much about about pam personally, I can see that from the man page.
I think this is fixed by https://github.com/gentoo/gentoo/commit/e1a92e8706aaf62d1850fddcf2739323afc44bcd (sorry for not noticing the bug). Note that we're now migrating to su from util-linux as shadow is deprecating it.
Hi1, util-linux cannot configure with USE="su -pam" : configure: error: su selected, but required PAM header file not available
(In reply to Xavier Miller from comment #8) > Hi1, > > > util-linux cannot configure with USE="su -pam" : > > configure: error: su selected, but required PAM header file not available Please file a new bug with the full build.log and config.log. That said, if util-linux su needs PAM, there's not much we can do about that. shadow su supports no PAM but they're removing it in future. You can still enable it for now.
(In reply to Sam James from comment #9) > (In reply to Xavier Miller from comment #8) > > Hi1, > > > > > > util-linux cannot configure with USE="su -pam" : > > > > configure: error: su selected, but required PAM header file not available > > Please file a new bug with the full build.log and config.log. That said, if > util-linux su needs PAM, there's not much we can do about that. shadow su > supports no PAM but they're removing it in future. You can still enable it > for now. Upstream say: "Note: From this release forward, su from this package should be considered deprecated. Please replace any users of it with su from util-linux. Please open an issue if there is a problem with that. We intend to remove it in an upcoming release." Maybe you should file a bug with them saying you don't use PAM.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe07c3e46ee67b99c88c249cacaab79336e68682 commit fe07c3e46ee67b99c88c249cacaab79336e68682 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-20 08:22:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-20 08:22:36 +0000 sys-apps/util-linux: su requires PAM Right now, util-linux su requires PAM -- shadow's doesn't. Bug: https://github.com/shadow-maint/shadow/issues/464 Closes: https://bugs.gentoo.org/622666 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/util-linux/util-linux-2.37.2-r3.ebuild | 2 +- sys-apps/util-linux/util-linux-9999.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
(In reply to Sam James from comment #10) > Maybe you should file a bug with them saying you don't use PAM. I gave in and filed it https://github.com/shadow-maint/shadow/issues/464 ;) But any further discussion we'll do in a new bug.
*** Bug 829710 has been marked as a duplicate of this bug. ***
