Arch Linux

nixscripter

Member

Registered: 2011-06-08

Posts: 9

An edgecase use of /bin/login

After upgrading an Arch box a week ago, something suddenly broke. But my investigation suggests that it was only barely working originally, and Google is not helpful in trying to get to the bottom of this.

On this particular box, I am a fan of recursive logins. That is, SSH into the box as user A, but get to a session of user B. User B, however, has a whole bunch of weird and convenient PAM hooks (like mounting encrypted disks), and the user sometimes overlaps with a parallel X session (don't ask), so not any login mechanism will do. In particular,

sudo -i

won't work, and

su

won't work, because they will either fail to trigger or don't have permission to execute all of the PAM hooks.

There is only one thing I have found works:

exec sudo /bin/login

That stopped working last week.

My first investigation was to the man pages, where I found this rather ominous section:

BUGS
       [ .... ]
       A  recursive  login,  as  used  to be possible in the good old days, no
       longer works; for most purposes su(1)  is  a  satisfactory  substitute.
       Indeed,  for  security  reasons,  login does a vhangup() system call to
       remove any possible listening processes on the tty.  This is  to  avoid
       password sniffing.  If one uses the command login, then the surrounding
       shell gets killed by vhangup() because it's no longer the true owner of
       the  tty.  This can be avoided by using exec login in a top-level shell
       or xterm.

Uh... okay... when I did strace I saw that. but the "exec login" is exactly what I was doing.

But wait, since when was that deprecated? That must be new, right? Well, perhaps not.

I tried this on my Gentoo box, and it worked fine. I looked at the man page it had, and it's completely different! In addition to their being no BUGS section suggesting anything like that is a problem, there's not an AUTHOR section at all (which the Arch man page currently has).

How is this possible? Because Arch's /bin/login command is provided by the util-linux package (currently version 2.28 as I write this), and Gentoo's is provided by the shadow package. The Gentoo version of shadow (4.1.5.1) is slightly older than Arch's version (4.2.1), but I couldn't find any evidence that upstream shadow stopped putting /bin/login in. I'm guessing Arch specifically excised it from their version in favor of the util-linux version.

I have two questions.

1. Can anyone tell me how this distribution choice on the part of Arch was made? On the flip side, what would the consequences be of changing it back?
2. The other option, I suppose, is to debug what's going on with PAM. If that seems to be a valid approach, I'll post more info, but I would like to at least know about number 1 first.

Thanks in advance.

Awebb

Member

Registered: 2010-05-06

Posts: 6,286

Re: An edgecase use of /bin/login

1. I don't know, but I know how you can find such things out. Go to the package page. Search for the package you want to inspect and find the "Package Actions" box on the top right of the package page. "View changes" will show you the git log of the package. You might also be able to git pull the package, they are organized in branches as packages/$PACKAGENAME. This would be a great opportunity to familiarize yourself with git-bisect, if you haven't already.

2. Recursive logins and PAM hooks indeed require more information. You could have hidden the Amber Room in there, for all we know.

EDIT: You can even use the git log search on the page! I was curious about this, so I looked it up myself:

https://git.archlinux.org/svntogit/pack … cdf94cbc46

It's from 2012-06-30, not exactly a recent change.

EDIT:

And the corresponding commit in util-linux: https://git.archlinux.org/svntogit/pack … 6a2a477df3

Last edited by Awebb (2016-07-16 20:19:12)

nixscripter

Member

Registered: 2011-06-08

Posts: 9

Re: An edgecase use of /bin/login

Thanks for the information.

I guess I'm not too surprised the specific switchover is that old.

I will poke around with versions of util-linux a bit, and if that doesn't help, I'll get back to you with my PAM configuration.