[LWN Logo]

Date:         Thu, 7 Oct 1999 19:56:46 +0100
From: David Malone <dwmalone@MATHS.TCD.IE>
Subject:      Problems with redhat 6 Xsession and pam.d/rlogin.
To: BUGTRAQ@SECURITYFOCUS.COM

I've found two problems which seem to be present in RedHat 6.0 and RedHat 6.1.
They're not earthshatteringly bad, but...

	1) Xsession on RedHat will start kde, gnome or anotherlevel
	rather than running a user's .xsession file, if you choose
	one of these from kdm. This is bad if you have account
	which have a special shell and xsession which are supposed
	to only allow one use of the account.

	Maybe it would be sensible to check a user has a shell listed
	in /etc/shells before starting a kde, gnome or anoterlevel
	session for them.

	2) In pam.d/rlogin allows you to log in, even if /etc/nologin
	exists 'cos the line:

		auth       sufficient   /lib/security/pam_rhosts_auth.so
	
	is futher up the file than:

		auth       required     /lib/security/pam_nologin.so

	Easy to fix.

David.