Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 154030 - pam_nologin locks out root as well as nonroot users
Summary: pam_nologin locks out root as well as nonroot users
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
: 155357 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-06 17:28 UTC by Brad Smith
Modified: 2015-01-08 00:09 UTC (History)
2 users (show)

Fixed In Version: pam-0.77-66.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-06-16 11:04:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
Strace of mingetty denying root access while /etc/nologin exists (deleted)
2005-04-06 17:30 UTC, Brad Smith
no flags Details
ltrace of mingetty denying root access when /etc/nologin exists (deleted)
2005-04-06 17:31 UTC, Brad Smith
no flags Details

Description Brad Smith 2005-04-06 17:28:29 UTC
Description of problem:
According to past experience and the current pam documetation, the presense of a /etc/nologin file should prevent nonroot logins but still permit root access. However, this does not appear to be the case. 

Version-Release number of selected component (if applicable):

How reproducible:
Always. To reproduce:
1) Create /etc/nologin
2) Attempt to login as root via a virtual console. Access will be denied. For any user a line like the following will be appended to /var/log/secure:

Apr  5 21:04:54 marco login[3570]: Please ignore underlying account module

Note that ssh logins as root will still succeed. This is because sshd handles interpretation of /etc/nologin internally and ignores the pam_nologin reference in /etc/pam.d/sshd (so I think that line might be superfluous). 

I will attach an strace and an ltrace of a mingetty instance failing to allow root access while /etc/nologin exists. The problem appears to be in pam_setcred(), near the end of the ltrace. However, I can't troubleshoot it much beyond that.

Comment 1 Brad Smith 2005-04-06 17:30:15 UTC
Created attachment 112766 [details]
Strace of mingetty denying root access while /etc/nologin exists

Comment 2 Brad Smith 2005-04-06 17:31:24 UTC
Created attachment 112767 [details]
ltrace of mingetty denying root access when /etc/nologin exists

Comment 3 Brad Smith 2005-04-06 17:33:01 UTC
Sorry about the formatting. So much for my experiment with using links. =:\

Comment 4 Tomas Mraz 2005-04-06 17:45:07 UTC
duplicate of bug 143750

Patch is already included in the scheduled pam update for U1.

Comment 5 Tomas Mraz 2005-04-19 15:25:31 UTC
*** Bug 155357 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.