Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 143750 - console login as root fails if /etc/nologin exists
Summary: console login as root fails if /etc/nologin exists
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2004-12-26 20:23 UTC by Gabor Kovacs
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version: pam-0.77-66.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-02-10 10:14:32 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:091 normal SHIPPED_LIVE pam bug fix update 2005-06-08 04:00:00 UTC

Description Gabor Kovacs 2004-12-26 20:23:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
Logging in on console as root fails if /etc/nologin exists. Logging in by ssh is OK.

An attempt to login as root gives the following log:

Dec 21 11:52:54 bolyai26 login(pam_unix)[3309]: session opened for user root by LOGIN(uid=0)
Dec 21 11:52:54 bolyai26 login[3309]: Please ignore underlying account module

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create /etc/nologin as root (dont close shell if you can't log in by ssh)

Additional info:

Authentication was set by system-config-authentication to shadow, MD5 passwords.

Comment 1 Elliot Lee 2005-01-03 22:18:06 UTC
I've verified this behaviour - I think it may be more of a PAM thing.

Comment 2 Tomas Mraz 2005-01-04 13:09:52 UTC
This is a nice one - actually there are 2 bugs - in pam library for
allowing the PAM_IGNORE status to get to an application and in the
pam_nologin (overwriting return value by return of pam_get_item).

Comment 3 Tomas Mraz 2005-01-04 19:19:07 UTC
The openssh works because it doesn't test return value of pam_setcred
and it handles the /etc/nologin file on its own.

Comment 4 Tomas Mraz 2005-01-07 15:37:27 UTC
I've fixed this in UPSTREAM CVS, however I plan to add it to the next
FC3 errata too.

Comment 5 Tomas Mraz 2005-01-21 09:32:32 UTC
Actually this isn't a security bug.

Note You need to log in before you can comment on or make changes to this bug.