-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sesman: auth session before fork #694
Conversation
+1 |
The change looks good. But I want you to include "why" in commit message for future source code reading. "Why" is always more important than "What". In this change, to create home directory, right? It's OK to do force push in unmerged PRs. |
Correct session management is necessary for more things than just to create homedirectory. Here some reasons: -> Create Homedirectory on demand and so on ..... |
I'm a big fan of good comments in the code, however... The reader of the code would not see that Those who want to dig deeper should be able to find the commit and it's comment. That would provide information about the change and the reason behind it. Of course, if somebody can come with a useful comment about the |
I think most of correct session management procedures can be done in PAM. Of course I don't intend to block merging this PR. We can add comments whenever later. |
#688 describes the correct setup of the pam configuration, but that doesn't help as long as auth_start_session is called in the wrong place. So just write as comment something like: "Calling auth_start_session in the correct place, otherwise pam session management fails" |
Does it also fix the issue if auth_start_session is moved above wait_for_xserver? |
After looking closer, I think it's right now. auth_start_session and auth_stop_session are called in same process now. Before this PR
After this PR
|
This patch don't work with pam_krb5 on Debian 8. |
@rolnas can you add your pam.d/common-* files to understand the problem ? |
Am 16.03.2017 um 18:29 schrieb Blindauer Emmanuel:
@rolnas <https://github.com/rolnas> can you add your pam.d/common-* files to
understand the problem ?
I'm using pam_krb5 or pam_ldap with xrdp since several years without problem.
the problem is _not_ authorization as you need for pam_ldap or pam_krb5. It is
session management. For example pam_limits was not working (pam_limits has
_only_ the session module).
Sincerly,
Klaus
…--
Rechnerbetriebsgruppe / IT, Fakultät für Physik
Klaus Steinberger
FAX: +49 89 28914280
Tel: +49 89 28914287
|
I create #696 that can replace this PR. Hopefully it works for everyone. |
Use CVE-2017-6967. |
It's just #704 for the fix. Can someone else confirm it;s fixed? |
I confirm it. I thing the pam process is now ok: before, if pam_krb5 was used, the environement variable set by the module was't available in the user session an the file created by the module was owned by root. Now the variable is set and file owned by user. |
So, the home directory can be created by "pam_mkhomedir".