Red Hat 5.2's login doesn't do PAM session management correctly

["Brandon S. Allbery KF8NH" <allbery kf8nh apk net>]

This is a "heads up" for anyone who relies on PAM session management in 
order to clean up after a login session.  Red Hat 5.2's login does not 
perform PAM session management correctly, potentially resulting in sessions 
which lose their authentication before the login shell starts.

login.c in Red Hat 5.2's util-linux package was modified so that it no 
longer forks a separate process for the user's shell; instead, it 
immediately closes the session and execs the user's shell.  This means that 
a PAM module which expects to be able to do post-session cleanup in its 
pam_close_session hook will do the cleanup *before* the user's shell is 
invoked.  This breaks the pam_linux_afs module (which invokes AFS's unlog) 
and KTH Kerberos's pam_krb4 module (which destroys the ticket cache), among 
others, so the session is effectively unauthenticated (contrary to both PAM 
documentation and users' and administrators' expectations).

The workaround for pam_linux_afs is to remove the session entry for 
pam_linux_afs from /etc/pam.d/login and add "no_unlog" to the auth entry.  I 
haven't tried to produce a workaround for KTH pam_krb4 yet because it has 
several other bugs which make it unusable in our environment and I haven't 
had the time to sit down and fix it.

I have a temporary patch to util-login which restores the original behavior, 
and I have submitted a bug report to Red Hat (which was acknowledged today). 
 (If anyone needs the patch, send mail to me at allbery ece cmu edu and I'll 
send you the patch and spec file.)

-- 
brandon s. allbery	[os/2][linux][solaris][japh]	 allbery kf8nh apk net
system administrator	     [WAY too many hats]	   allbery ece cmu edu
carnegie mellon / electrical and computer engineering			 KF8NH
			  Kiss my bits, Billy-boy.