systemd does not invoke pam_end properly #22318
Comments
|
Digging deeper, I am a bit puzzled, systemd does invoke pam_end, it just does not add the FLAG PAM_DATA_SILENT, which looking at the documentation does not seem too critical, but then I don't really know PAM... |
|
The |
|
@AndrewGMorgan so in a better world the flag would be named PAM_CALLING_IN_CHILD or so? or maybe PAM_NOT_CALLING_IN_PARENT? |
|
Uhh, thanks for the background info. Comparing to similar flags such as PAM_SILENT which were more about suppressing user logging, this flag seems to have much more serious purposes. Even more than a "makes PAM not take the call too seriously" (paraphrased from the manpage) :-) |
|
Possibly, but it has been named this way since around (I suspect before) the year 2000. I seem to recall there were some use cases wanting to have a hook in the PAM stack that executed a callback after the application called However, it was normally the case that the terminating (full end) |
Fixes: systemd#22318 (cherry picked from commit 7feb2b5)
This is a spinoff of #17564 (comment) which is about enabling WakeSystem= for user units.
libcap and (previous) PAM author AndrewGMorgan comments that systemd likely does not use the pam API correctly with regard to pam_end(). I cannot claim to understand half of it, but the linked comment contains more pointers to likely code culprits. It would be great if somebody familiar with the systemd code base could look if that is a problem, in order to unblock the WakeSystem progress.
Specifically, the lack of the PAM_DATA_SILENT flag in pam_end (
systemd/src/core/execute.c
Line 1346 in 673a181
Thanks for systemd!
The text was updated successfully, but these errors were encountered: