I'm not sure if this is a bug or a security conscious decision. It seems that I'm missing /etc/pam.d/runuser and /etc/pam.d/runuser-l which prevents runuser(1) from working. I imagine these should be included with sys-auth/pambase.
Borrowing copies from a Fedora system seems to have runuser working as expected.
at a glance, it looks like we want "runuser" to be the same as "su", and "runuser-l" to be the same as "login"
since these are only used by the runuser program from util-linux, it looks like it should be part of util-linux rather than pambase
*** Bug 570380 has been marked as a duplicate of this bug. ***
*** Bug 553122 has been marked as a duplicate of this bug. ***
When I try tu use puppetserver. Service fails right a way and when I try tu run "#puppetserver foreground --debug" it fails with "runuser: Failure setting user credentials"
Add me to the list of affected users. Trying to install Atlassian Jira on a gentoo system, their startup scripts fail quickly every time. After a bunch of digging and strace()ing, found that their startup scripts require a functioning "runuser", which Gentoo doesn't have due to this pam misconfiguration. If /etc/pam.d/runuser* is missing, PAM falls back to "other", which is pam_deny everything.
I can confirm that copying /etc/pam.d/su to /etc/pam.d/runuser resolves the issue.
@spanky I'd agree that it should be part of util-linux. Also now affected.
fixed in 2.29.2-r1