RHEL 7 and uid < 59000 in pam files

Latest response

Hello,

we are about to start deploying more and more RHEL 7 servers. On the few I have just done there is one, well, "issue".
In some of the /etc/pam.d/* files there is stanza:

# grep 59000 *
fingerprint-auth:account     sufficient    pam_succeed_if.so uid < 59000 quiet
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 59000 quiet
password-auth:auth        requisite     pam_succeed_if.so uid >= 59000 quiet_success
password-auth:account     sufficient    pam_succeed_if.so uid < 59000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 59000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 59000 quiet
smartcard-auth:account     sufficient    pam_succeed_if.so uid < 59000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 59000 quiet
system-auth:auth        requisite     pam_succeed_if.so uid >= 59000 quiet_success
system-auth:account     sufficient    pam_succeed_if.so uid < 59000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 59000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 59000 quiet

On RHEL 6 it was uid < 500. Does anybody know it has been changed from 500 to 59000 ?

Responses

It got changed from 500 to 1000 in RHEL 7. But 59000 is strange. Perhaps some local deployment customization has misfired?

If this is the only change compared to RHEL 7.x standard configuration, this will have the effect of making PAM not log successful logins of regular users with UID < 59000 to the system log. Normally, only system accounts with UID < 1000 have their PAM successful login messages omitted.

I installed RHEL 7 from using: @core --nodefaults in kickstart. Do you think it might somehow affect it ?

This morning I repeated all the steps with RHEL 7.3 DVD iso and now uid is 1000. Does anybody know if it is a bug or deliberate change or ... ? Any clue ?

I suspect this is somehow related to VCenter VM clone process: last week we did a fresh clone of RHEL 7 (with uid < 1000 or > 1000) but the clone got all the 1000 changed to 59000.

That sounds plausible, but then it would be a bug in the cloning process.

It might be that the VMware Tools/open-vm-tools will be commanded to make some changes to system settings as part of the cloning process, but one of the changes gets applied to wrong files.

Which version of VCenter you're using? Are you using open-vm-tools or VMware Tools? Which version? Other people with the same versions might want to check if it happens in their environments too.

Since the change affects the logging of user logins, it might have some security implications. In theory, it might be usable as a part of a scheme to hide some unauthorized activity.

We use VCenter 5.5 + open-vm-tools-10.0.5-4.el7_3.x86_64

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.