Permalink
Browse files

tools: Require pam_shells for logging in

Prevent users with /bin/false, /sbin/nologin or similar invalid shells
from logging into Cockpit.

This does not work under Atomic as the tests use ssh to log in, so skip
the new test under Atomic.

Note: /sbin/nologin is still accepted in Fedora ≤ 25, which is a bug
(https://bugzilla.redhat.com/show_bug.cgi?id=1378893).

Fixes #3798
Closes #5665
Reviewed-by: Stef Walter <stefw@redhat.com>
  • Loading branch information...
martinpitt authored and stefwalter committed Jan 3, 2017
1 parent 43b85f0 commit a96ec9b8343226c666653b957a70691769acf6e3
Showing with 10 additions and 0 deletions.
  1. +8 −0 test/verify/check-login
  2. +1 −0 tools/cockpit.debian.pam
  3. +1 −0 tools/cockpit.pam
View
@@ -75,6 +75,14 @@ account required pam_succeed_if.so user ingroup %s""" % m.get_admin_group
else:
b.wait_text("#login-error-message", "Permission denied")
# Try to login with disabled shell; this does not work on Atomic where
# we log in through ssh
if m.image not in ["continuous-atomic", "fedora-atomic", "rhel-atomic"]:
m.execute("usermod --shell /bin/false admin")
login("admin", "foobar")
b.wait_text_not("#login-error-message", "")
m.execute("usermod --shell /bin/bash admin")
# Login as admin
b.open("/system")
login("admin", "foobar")
View
@@ -4,6 +4,7 @@ auth substack common-auth
auth optional pam_reauthorize.so prepare
auth optional pam_ssh_add.so
account required pam_nologin.so
account required pam_shells.so
account include common-account
password include common-password
# pam_selinux.so close should be the first session rule
View
@@ -5,6 +5,7 @@ auth include postlogin
auth optional pam_reauthorize.so prepare
auth optional pam_ssh_add.so
account required pam_nologin.so
account required pam_shells.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule

0 comments on commit a96ec9b

Please sign in to comment.