git.ipfire.org Git - thirdparty/systemd.git/commit

author	Chandradeep Dey <chandradeepdey@posteo.net>
	Sun, 18 Oct 2020 09:59:40 +0000 (15:29 +0530)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 21 Oct 2020 14:47:10 +0000 (16:47 +0200)
commit	842067e6753d8cad951c83ac62681c539e1b1a07
tree	658835d96799f6aca7f1315cdbdc4bc9a440914f	tree \| snapshot
parent	429495163cbc1eb331a15d16fb26c829aa43ff0d	commit \| diff

homed: remove PAM_USER_UNKNOWN test in pam_sm_acct_mgmt

Why this change
---------------
Assumption - PAM's auth stack is properly configured.

Currently account pam_systemd_home.so returns PAM_SUCCESS for non
systemd-homed users, and a variety of return values (including
PAM_SUCCESS) for homed users.

account pam_unix returns PAM_AUTHINFO_UNAVAIL for systemd-homed
users, and a variety of return values (including PAM_AUTHINFO_UNAVAIL)
for normal users.

No possible combination in the pam stack can let us preserve the
various return values of the modules. For example, the configuration
mentioned in the manpage causes account pam_unix to never be reached
since pam_systemd_home just returns a success for ordinary users. Users
with expired passwords are allowed to log in because a check cannot be
made.

More configuration examples and why they don't work are mentioned
in #16906 and the downstream discussion linked there.

After this change
-----------------
account pam_unix will continue to return wrong value for homed users.
But we can skip the module conditionally using the return value from
account pam_systemd_home. We can already do this with the auth and
password modules.