Bug#543303: libpam-ssh does the right thing; cron needs to use common-session-noninteractive

Josh Triplett Mon, 08 Mar 2010 00:57:24 -0800

reassign 572292 cron
affects 572292 libpam-ssh
forcemerge 543303 572292
# not *quite* RC, but certainly close
severity 543303 important
thanks


libpam-ssh does the right thing here, and doesn't have a bug.
libpam-ssh only runs in common-session, not
common-session-noninteractive.  However, cron uses common-session, not
common-session-noninteractive.  cron needs fixing.

~$ ps auxf
[...]
root      1406  0.0  0.0  22160  1048 ?        Ss   Mar04   0:00 /usr/sbin/cron
root      3087  0.0  0.0  42604  1764 ?        S    Mar04   0:00  \_ 
/USR/SBIN/CRON
root      3091  0.0  0.0      0     0 ?        Zs   Mar04   0:00  |   \_ [sh] 
<defunct>
root      3165  0.0  0.0  42604  1764 ?        S    Mar04   0:00  \_ 
/USR/SBIN/CRON
root      3169  0.0  0.0      0     0 ?        Zs   Mar04   0:00  |   \_ [sh] 
<defunct>
root      3176  0.0  0.0  42604  1764 ?        S    Mar04   0:00  \_ 
/USR/SBIN/CRON
root      3180  0.0  0.0      0     0 ?        Zs   Mar04   0:00  |   \_ [sh] 
<defunct>
root      3382  0.0  0.0  42604  1764 ?        S    Mar04   0:00  \_ 
/USR/SBIN/CRON
root      3386  0.0  0.0      0     0 ?        Zs   Mar04   0:00  |   \_ [sh] 
<defunct>
[...]
root      3090  0.0  0.0  11792   432 ?        Ss   Mar04   0:00 ssh-agent -s
root      3168  0.0  0.0  11792   436 ?        Ss   Mar04   0:00 ssh-agent -s
root      3179  0.0  0.0  11792   436 ?        Ss   Mar04   0:00 ssh-agent -s
root      3385  0.0  0.0  11792   432 ?        Ss   Mar04   0:00 ssh-agent -s
[...]

~$ ls -ltrd /tmp/ssh-* | head
drwx------ 2 root root 4096 Mar  4 10:17 /tmp/ssh-fWLZVd3089
drwx------ 2 root root 4096 Mar  4 11:17 /tmp/ssh-OuaOAB3167
drwx------ 2 root root 4096 Mar  4 12:17 /tmp/ssh-yWPezF3178
drwx------ 2 root root 4096 Mar  4 13:17 /tmp/ssh-zZxCHW3384
drwx------ 2 root root 4096 Mar  4 14:17 /tmp/ssh-jadPYw3654
drwx------ 2 root root 4096 Mar  4 15:17 /tmp/ssh-EosPFT4029
drwx------ 2 root root 4096 Mar  4 16:17 /tmp/ssh-uAeFwx5402
drwx------ 2 root root 4096 Mar  4 17:17 /tmp/ssh-YxkaAa6467
drwx------ 2 root root 4096 Mar  4 18:17 /tmp/ssh-WzwdwX6754
drwx------ 2 root root 4096 Mar  4 19:17 /tmp/ssh-HrSRUZ6964

This bug also potentially applies to several other services.  A grep of
/etc/pam.d turned up these:

~$ grep common-session -r /etc/pam.d/
/etc/pam.d/schroot:@include common-session
/etc/pam.d/other:@include common-session
/etc/pam.d/polkit-1:@include common-session
/etc/pam.d/cups:@include common-session
/etc/pam.d/chsh:@include common-session
/etc/pam.d/chfn:@include common-session
/etc/pam.d/cvs:# @include common-session
/etc/pam.d/su:@include common-session
/etc/pam.d/cron:@include common-session

schroot and su probably qualify as interactive, and polkit-1 may as well.
cups, cvs, and cron definitely don't, and chsh and chfn shouldn't have sessions
at all.  other might or might not qualify as interactive; ideally, nothing
should ever use it.

- Josh Triplett



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#543303: libpam-ssh does the right thing; cron needs to use common-session-noninteractive

Reply via email to