Bug 80032

Summary: kdm does not obey pam_limits
Product: [Unmaintained] kdm Reporter: Dominique Devriese <devriese>
Component: generalAssignee: kdm bugs tracker <kdm-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Dominique Devriese 2004-04-20 23:51:04 UTC 
Version:            (using KDE KDE 3.2.2)
Installed from:    Debian testing/unstable Packages

Note: this is a forward of the following Debian bug report:
	http://bugs.debian.org/242641

The original text of the report follows, along with a pretty interesting comment by someone else:
Original report:
	Pam really restricts login with these settings, that means I cannot 	
	open 2 console sessions and I cannot open one samba session + one
	console session. But KDM does seem to respond to the code returned by
	pam.  I am not a PAM expert but I believe that pam returns a session
	failure code and then KDM should respond showing something like
	"access denied". A while ago I also tried XDM and GDM and only one of
	those two reacted as expected. 
Interesting comment:
	I checked kdebase-3.2.1/kdm/backend/client.c and, at line 1142, there 
	are two function calls whose return value is not used : 
 
	 	pam_set_item (pamh, PAM_CONV, &pconv); /* XXX this can fail */ 
		pam_open_session (pamh, 0); /* XXX this can fail, too */ 
 
	(if I judge by the XXX comments, the author seems aware that something 
	remains to be done) 
 
	I changed these two lines to : 
		if ((pretc=pam_set_item (pamh, PAM_CONV, &pconv) != PAM_SUCCESS) 
		|| (pretc=pam_open_session (pamh, 0) != PAM_SUCCESS )) { 
		LogError ("Unable to open session for user %s : %s", curuser, 
		pam_strerror (pamh, pretc)); 
		return 0; 
		} 
 
	Then, kdm complies with the settings in limits.conf (actually, i've 
	done only one test with maxlogins). Although there is no warning 
	window to inform the user (something to add later, imho), user login 
	is denied as expected. 
 
	The LogError line doesn't seem to work and I'm not familiar enough 
	with KDE internals to know why (I've just copied and modified a 
	similar line earlier in the file). 

I hope this is enough information for you to fix this.

Thanks
domi
Comment 1 Oswald Buddenhagen 2005-09-15 20:42:34 UTC 
fwiw, i could just add a (working) error check, but then we'd arrive at bug #110452.
on a related matter, pam experts disagree on the correct order of pam_open_session and pam_setcred, so i'm slightly unsettled.
another thing to check is how pam is working on FreeBSD and possibly other systems with weird functions like setusercontext(), setpcred(), etc.
Comment 2 Kees van Vloten 2005-09-15 23:01:59 UTC 
Oswald,

I opened this problem in Debian BTS, it is a long time ago. I remember I
also tried GDM and XDM and one of those two showed correct behaviour (I
think it was GDM). Perhaps you can check the source code of those two find
out how to handle pam correctly?...
Shell login (getty) also contains similar code, perhaps that can help?

Kees.

[bugs.kde.org quoted mail]
Comment 3 Oswald Buddenhagen 2006-10-13 20:26:13 UTC 
this is actually the original, but who cares. :)

*** This bug has been marked as a duplicate of 128507 ***