From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 16:06:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AF0F106566C for ; Tue, 24 Feb 2009 16:06:53 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.183]) by mx1.freebsd.org (Postfix) with ESMTP id D98A98FC12 for ; Tue, 24 Feb 2009 16:06:52 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by el-out-1112.google.com with SMTP id r27so1811367ele.13 for ; Tue, 24 Feb 2009 08:06:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=FtwZkKbN2JXIAdiFAa2geGJlzELS+9sPnB7/QsWFBMk=; b=lGN8fNigeMP1Rq7+wt2aufO/8vBPinydZ5NOcjMqoKvkFUxA9wUJSUURqsYGUbULPy 32FbMm7MrKfyc2d94NNqXCv0/1G6IFXrETuwif++Uf0EJ1HsHDccBEgTs+YPcWyaXhVH DGQl1xlZoigKBvUfb2MasJX2r6WKjM/F0irCo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=DgsI5TkqmSHGuTWJB9/epEIDYQVAX2yQRgUlWBj6uY07JnyBy/U3IQxULhTylf79xi 7tWgN2QuD8m+9eAAmbQGJ2xZ7xJZGiHViqQY+kr8CotSZLtR0tmz09Jw0lxtlC5XTqJR wAiByL5YnIiEvse++f6B3v6QVZJv5bBLk31aY= MIME-Version: 1.0 Received: by 10.231.14.196 with SMTP id h4mr7900173iba.36.1235488620513; Tue, 24 Feb 2009 07:17:00 -0800 (PST) Date: Tue, 24 Feb 2009 20:47:00 +0530 Message-ID: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> From: Ivan Grover To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 16:06:53 -0000 Hi All, I had PAM rules for my own service as below: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_deny.so This used to work properly in my older PAM libraries. For successfull authentication, it used to return from pam_stack.so as system-auth has sufficient in its rules as below and it doesnt pass below the stack to pam_deny.so auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and library, It doesnt work, To make it work, I need to remove the last one, pam_deny.so as below. auth required pam_stack.so service=system-auth auth required pam_nologin.so Can any one please let me know if you have seen similar problem. Any suggestions/comments, please advice.