Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 154030

Summary: pam_nologin locks out root as well as nonroot users
Product: Red Hat Enterprise Linux 4 Reporter: Brad Smith <brads>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: mark.nelson, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.77-66.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-16 11:04:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Strace of mingetty denying root access while /etc/nologin exists
none
ltrace of mingetty denying root access when /etc/nologin exists none

Description Brad Smith 2005-04-06 17:28:29 UTC
Description of problem:
According to past experience and the current pam documetation, the presense of a /etc/nologin file should prevent nonroot logins but still permit root access. However, this does not appear to be the case. 

Version-Release number of selected component (if applicable):
pam-0.77-65.1

How reproducible:
Always. To reproduce:
1) Create /etc/nologin
2) Attempt to login as root via a virtual console. Access will be denied. For any user a line like the following will be appended to /var/log/secure:

Apr  5 21:04:54 marco login[3570]: Please ignore underlying account module

Note that ssh logins as root will still succeed. This is because sshd handles interpretation of /etc/nologin internally and ignores the pam_nologin reference in /etc/pam.d/sshd (so I think that line might be superfluous). 

I will attach an strace and an ltrace of a mingetty instance failing to allow root access while /etc/nologin exists. The problem appears to be in pam_setcred(), near the end of the ltrace. However, I can't troubleshoot it much beyond that.

Comment 1 Brad Smith 2005-04-06 17:30:15 UTC
Created attachment 112766 [details]
Strace of mingetty denying root access while /etc/nologin exists

Comment 2 Brad Smith 2005-04-06 17:31:24 UTC
Created attachment 112767 [details]
ltrace of mingetty denying root access when /etc/nologin exists

Comment 3 Brad Smith 2005-04-06 17:33:01 UTC
Sorry about the formatting. So much for my experiment with using links. =:\

Comment 4 Tomas Mraz 2005-04-06 17:45:07 UTC
duplicate of bug 143750

Patch is already included in the scheduled pam update for U1.


Comment 5 Tomas Mraz 2005-04-19 15:25:31 UTC
*** Bug 155357 has been marked as a duplicate of this bug. ***