On 28 Sep, Steve Langasek wrote:
> On Wed, Sep 28, 2005 at 05:14:31PM -0700, James Blanford wrote:
>> Package: libpam-modules
>> Version: 0.79-1
>
>> I used to be able to su from root to any other account without
>> entering a password. Now a password is requested. This breaks at
>> least the updatedb script. Please revert the SELinux passwd class
>> permissions check.
>
> Please explain why the SELinux patch is to blame. The SELinux changes
> should have zero impact unless you have an SELinux-enabled kernel,
> *and* you have SELinux turned on at boot time.
>
I based my conclusion on the Debian changelog, where it states:
- make pam_rootok check the SELinux passwd class permissions, not just
the uid
Note that it doesn't say, "make pam_rootok check the SELinux passwd
class permissions, _if SELinux is enabled_".
Were pam_rootok to check these class permissions and they didn't exist,
I would expect them to fail. Bugs resulting from new SELinux "features"
that fail to check whether SELinux is enabled have become pretty common
occurences lately.
OK, I was trying to goad you into checking and failed. So I reverted
the patch myself and rootok is still broken. I hereby change the bug to
"rootok module is broken and I don't know why". Going back to
0.76-23 restores rootok's functionality.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
