diff options
| author | Laurent Bigonville <bigon@debian.org> | 2019-09-03 16:48:39 +0200 |
|---|---|---|
| committer | Laurent Bigonville <bigon@debian.org> | 2019-09-03 17:00:06 +0200 |
| commit | 4d8a10d86cca3de958a2d02d3db666f4c5c8a2cf (patch) | |
| tree | f5e8659695e0719d0cce49bad04e0910d237cf3d | |
| parent | 9bda99f55de51c865025f6ad805e33e363a9e201 (diff) | |
| download | shadow-4d8a10d86cca3de958a2d02d3db666f4c5c8a2cf.tar.gz | |
Move the call to pam_motd before pam_selinux open
pam_selinux calls setexeccon() with the context of the user, that means
that the first execve() after the call to "pam_selinux open" will be
executed in the user's context.
As pam_motd in debian calls system() to run run-parts to generate the
motd dynamically we need to be sure that this is done before that so it
runs in the context of the login executable.
| -rw-r--r-- | debian/login.pam | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/debian/login.pam b/debian/login.pam index 3226fe2d..553145fa 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -26,9 +26,19 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux # Sets the loginuid process attribute session required pam_loginuid.so +# Prints the message of the day upon successful login. +# (Replaces the `MOTD_FILE' option in login.defs) +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate + # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. +# pam_selinux.so changes the SELinux context of the used TTY and configures +# SELinux in order to transition to the user context with the next execve() +# call. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) @@ -71,13 +81,6 @@ session required pam_limits.so # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so -# Prints the message of the day upon successful login. -# (Replaces the `MOTD_FILE' option in login.defs) -# This includes a dynamically generated part from /run/motd.dynamic -# and a static (admin-editable) part from /etc/motd. -session optional pam_motd.so motd=/run/motd.dynamic -session optional pam_motd.so noupdate - # Prints the status of the user's mailbox upon successful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # |