Re: sudo + pam_lastlog causes user to appear logged out in logs.

Tom McLaughlin <tmclaugh@xxxxxxxxxxxxxxxx> writes:
Hi, this was originally reported on ports@. [1] Someone noticed that
after after running sudo their session disappeared when running `w`
afterwards. I've done a little experimenting and this is caused when
pam_lastlog.so is included in sudo's pam file. This results in the user
still being logged in though according to the system logs the user has
logged out.

There can only be one user at a time on a tty; if sudo records the
target user in wtmp, information about the invoking user being logged in
is overwritten. When sudo "logs out" the target user, it is as if
nobody is logged in on that tty. Therefore neither su nor sudo should
invoke pam_lastlog; FreeBSD's PAM configuration for su does not, and
neither do e.g. Debian's or Ubuntu's PAM configurations for su and sudo.

I can confirm this on -CURRENT and -STABLE. I tested on a CentOS 5.0
box and their pam_lastlog does not cause this with sudo so it appears to
be an issue specific to ours. Can someone take a look into this? Also,
is there any way sudo can work around this? Right now I've commented
out the session line in the pam file that is installed by the port so
most users will not be affected. Thanks.

It is bad form to leave a service unconfigured in a PAM stack, as PAM
will fall back to the default stack (if one exists) which may not be
what you want. Instead, use pam_permit.

DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages