GNU bug report logs -
#33916
[PATCH 0/4] Make GDM usable
Previous Next
Reported by: Timothy Sample <samplet <at> ngyro.com>
Date: Sun, 30 Dec 2018 02:38:02 UTC
Severity: normal
Tags: patch
Done: Danny Milosavljevic <dannym <at> scratchpost.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hi Danny,
Danny Milosavljevic <dannym <at> scratchpost.org> writes:
> Hi Timothy,
>
> thanks!
>
> I've pushed this series to master as:
>
> 92deb5cc920fcc7617302986180f1abee5fd2b26
> 89c8656200a21485fd50fe4d277792d7d56c63e0
> de409e82261eb147b6614aef8731d795ca664ef0
> 48c8d067d4ded776939cda6f9c63c25b38ba77fc
Thank you!
> I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
> and it just does "auth sufficient pam_rootok.so". This means that root
> will be allowed to log in without password (which is what is documented
> there, too).
>
> But how come it (or gdm) then allows any user?
More specifically, it means that root is authorized to perform whatever
action PAM is being asked about without providing a password. In this
case, “root” is GDM itself, and the action is “log in as so-and-so”.
Hence, PAM says, “sure thing, root, log in as whoever you like!”
The part I’m not certain about is why GDM is running as root. My
current understanding is that it is running with effective UID gdm and
real UID root. I remember reading in the docs that “pam_rootok.so” only
cares about real UID [1].
> Fedora does it differently:
>
> See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager
>
>> auth required pam_succeed_if.so user != root quiet
That looks better. That would be easy to add if people find it useful.
(I wouldn’t bother with it, but if Fedora does it, then it must be
popular enough.)
[1] http://www.linux-pam.org/Linux-PAM-html/sag-pam_rootok.html
-- Tim
This bug report was last modified 6 years and 200 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.