Bug#739676: systemd-user PAM config breaks some libpam-* modules
Christian Kastner
debian at kvr.at
Wed Jan 21 14:04:30 GMT 2015
Hi Martin,
On 2015-01-21 11:35, Martin Pitt wrote:
> On both my Debian sid and my Ubuntu system, the only difference
> between common-session and common-session-noninteractive is that the
> latter does not include libpam-systemd.
Generally speaking, I believe (but haven't verified) that this will be
the case for all packages where the Debian PAM meta-config sets the
following flag:
Session-Interactive-Only: yes
I found that in src:systemd/debian/pam-configs/systemd. At least, that
would explain the difference you observed.
> Thus on a system which does *not* use any additional pam module, this
> should effectively be a no-op change and thus quite safe.
Yep! For the "systemd-user" PAM config, the move to -noninteractive only
does one thing, namely to drop the implied pam_systemd. By re-adding it
explicitly to the config (patch v2), the result on such systems must be
a no-op.
> Indeed installing libpam-mount only adds itself to common-session, not
> to common-session-noninteractive. So with this change we would get the
> desired effect.
Yep. Rephrased, this means that on systems that *do* use additional PAM
modules, this change would drop ops, but those ops shouldn't have been
there in the first place. "systemd-user" should not call pam_mount,
pam_script, etc.
This does not affect the user; the "frontend" PAM sessions started by
login, lightdm, and so on all @include common-session. This is only
about "systemd-user" session triggered in the background. So it really
should be safe.
Regards,
Christian
More information about the Pkg-systemd-maintainers
mailing list