Bug 214616 - kdm allows logins even if shell is set to /sbin/nologin
Summary: kdm allows logins even if shell is set to /sbin/nologin
Status: RESOLVED NOT A BUG
Alias: None
Product: kdm
Classification: Miscellaneous
Component: general (show other bugs)
Version: unspecified
Platform: Arch Linux Unspecified
: NOR normal
Target Milestone: ---
Assignee: kdm bugs tracker
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-15 08:06 UTC by Caleb Cushing
Modified: 2009-11-17 08:39 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Caleb Cushing 2009-11-15 08:06:04 UTC 
Version:            (using KDE 4.3.3)
Installed from:    Archlinux Packages

I have a user account on the system that I wish to disable I tried setting the shell to both /sbin/nologin and /bin/false neither are effective at disabling the user from logging in with kdm. I believe this is a security hole (esp nologin) since most unix admins will do this to disable accounts.
Comment 1 Caleb Cushing 2009-11-15 08:17:08 UTC 
the only way I've found to lock the account is to lock the passwd sudo passwd -l username event setting the expire date to 1 doesn't work.

      -l, --lock
           Lock the password of the named account. This option disables a
           password by changing it to a value which matches no possible
           encrypted value (it adds a '!' at the beginning of the password).

           Note that this does not disable the account. The user may still be
           able to login using another authentication token (e.g. an SSH key).
           To disable the account, administrators should use usermod
           --expiredate 1 (this set the account's expire date to Jan 2, 1970).

           Users with a locked password are not allowed to change their
           password.
Comment 2 Oswald Buddenhagen 2009-11-15 09:54:10 UTC 
you didn't add the pam_nologin module to the kde pam stack.
Comment 3 Oswald Buddenhagen 2009-11-15 10:09:03 UTC 
bah, sorry, i misread. you want pam_shells, of course.

i have no idea why --expiredate 1 doesn't work - it might be a bug in pam_unix (or whatever else main authentication module you're using). i know that passwd -e works, and as it is the same from kdm's pov, i can safely deny any responsibility.
Comment 4 Caleb Cushing 2009-11-15 19:54:57 UTC 
#%PAM-1.0
auth        required    pam_unix.so
auth        required    pam_nologin.so
account     required    pam_unix.so
password    required    pam_unix.so
session     required    pam_unix.so
session     required    pam_limits.so

not knowing exactly how it works... what if I was bypassing passwords with kdm using autologin?
Comment 5 Oswald Buddenhagen 2009-11-15 20:09:56 UTC 
autologin uses a separate service definition, but other than that it behaves just normally, i.e. it will do exactly what you told it to.
read the pam admin guide for details.
Comment 6 Caleb Cushing 2009-11-17 01:03:39 UTC 
does kde provide pam configuration files for kdm? or is that a distribution thing? if it's a distribution thing why doesn't kde do it?
Comment 7 Oswald Buddenhagen 2009-11-17 08:39:18 UTC 
if no kde pam service definitions are to be found yet, make install (run as root) will try to derive appropriate ones from existing ones. if that fails, too bad. it is a distribution and admin thing, after all.