Debian Bug report logs - #935186
dovecot PAM service includes common-session

version graph

Package: dovecot-core; Maintainer for dovecot-core is Dovecot Maintainers <[email protected]>; Source for dovecot-core is src:dovecot (PTS, buildd, popcon).

Reported by: Laurent Bigonville <[email protected]>

Date: Tue, 20 Aug 2019 16:39:01 UTC

Severity: normal

Found in version dovecot/1:2.3.4.1-5

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], Dovecot Maintainers <[email protected]>:
Bug#935186; Package dovecot-core. (Tue, 20 Aug 2019 16:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Laurent Bigonville <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], Dovecot Maintainers <[email protected]>. (Tue, 20 Aug 2019 16:39:04 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: dovecot PAM service includes common-session
Date: Tue, 20 Aug 2019 18:35:54 +0200
Package: dovecot-core
Version: 1:2.3.4.1-5
Severity: normal

Hi,

Currently, the dovecot PAM service includes common-session. Shouldn't it
be common-session-noninteractive instead?

On my machine, the only difference is the fact that the
common-session-noninteractive is not including the pam_systemd module.

Including the pam_systemd module means that a new logind session will be
started and some process could be also started by the systemd --user
instance, which might be overkill.

Shouldn't that be changed to common-session-noninteractive?

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Information forwarded to [email protected], Dovecot Maintainers <[email protected]>:
Bug#935186; Package dovecot-core. (Tue, 20 Aug 2019 16:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Biebl <[email protected]>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <[email protected]>. (Tue, 20 Aug 2019 16:57:04 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: Michael Biebl <[email protected]>
To: Laurent Bigonville <[email protected]>, [email protected]
Subject: Re: Bug#935186: dovecot PAM service includes common-session
Date: Tue, 20 Aug 2019 18:53:04 +0200
[Message part 1 (text/plain, inline)]
Am 20.08.19 um 18:35 schrieb Laurent Bigonville:
> Package: dovecot-core
> Version: 1:2.3.4.1-5
> Severity: normal
> 
> Hi,
> 
> Currently, the dovecot PAM service includes common-session. Shouldn't it
> be common-session-noninteractive instead?
> 
> On my machine, the only difference is the fact that the
> common-session-noninteractive is not including the pam_systemd module.
> 
> Including the pam_systemd module means that a new logind session will be
> started and some process could be also started by the systemd --user
> instance, which might be overkill.
> 

Fwiw, we were asked to add pam_systemd to common-session-noninteractive
as well.
https://security-tracker.debian.org/tracker/CVE-2019-9619

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 15:05:44 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.