Package: pam
Severity: wishlist
Hi
Automatically configuring etc/security/group.conf is not policy
compliant for the moment as one needs to edit a conffile in the process.
A solution might be to create etc/security/group.conf in the
maintainerscripts so it's no conffile...
Cheers
Luk
--
Luk Claes - http://people.debian.org/~luk - GPG key 1024D/9B7C328D
Fingerprint: D5AF 25FB 316B 53BB 08E7 F999 E544 DE07 9B7C 328D
Subject: Re: Bug#370346: Make etc/security/group.conf automatically configurable
Date: Sun, 4 Jun 2006 14:17:25 -0700
On Sun, Jun 04, 2006 at 08:17:19PM +0200, Luk Claes wrote:
> Package: pam
> Severity: wishlist
> Automatically configuring etc/security/group.conf is not policy
> compliant for the moment as one needs to edit a conffile in the process.
> A solution might be to create etc/security/group.conf in the
> maintainerscripts so it's no conffile...
Why is automatic configuration of /etc/security/group.conf needed?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[email protected]http://www.debian.org/
Hi Steve,
On 4 Jun 2006 (doh!) you wrote:
>> A solution might be to create etc/security/group.conf in the
>> maintainerscripts so it's no conffile...
> Why is automatic configuration of /etc/security/group.conf needed?
from debian-edu-config/cf/cf.kdm:
# Set up locally logged in users to get access to local devices
# Require pam_group in common-auth
# http://www.die.net/doc/linux/man/man5/group.conf.5.html document
# the format
{ /etc/security/group.conf
AppendIfNoSuchLine "*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video,scanner"
AppendIfNoSuchLine "*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video,scanner"
}
I believe we do this, to only add the users to those groups, when the
users are logged in on that machine, but I'm not really familar with
this. Maybe Petter or Vagrant can jump in? ;)
Do we still need this change?
regards,
Holger
[Holger Levsen]
> I believe we do this, to only add the users to those groups, when
> the users are logged in on that machine, but I'm not really familar
> with this. Maybe Petter or Vagrant can jump in? ;)
>
> Do we still need this change?
As far as I know, we still need it, yes. It provide access to local
devices etc for users in LDAP.
Happy hacking,
--
Petter Reinholdtsen
Hi Steve,
the Lenny freeze is approaching fast, any ETA when you will be able to fix
this bug? We would really love to see it fixed in Lenny... also please shout
if you need help...
regards,
Holger
Acknowledgement sent
to Steve Langasek <[email protected]>:
Extra info received and forwarded to list.
(Wed, 02 Sep 2009 09:09:03 GMT) (full text, mbox, link).
On Sat, May 03, 2008 at 01:29:40PM +0200, Holger Levsen wrote:
> the Lenny freeze is approaching fast, any ETA when you will be able to fix
> this bug? We would really love to see it fixed in Lenny... also please shout
> if you need help...
Is this still needed, or is it superseded by consolekit yet?
Given that editing of other packages' config files is still a policy
violation, whether or not they're conffiles, this isn't going to be easy to
solve, otherwise - short of not shipping a default group.conf at all.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/[email protected][email protected]
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Mon, 25 Jan 2010 19:33:03 GMT) (full text, mbox, link).
[Steve Langasek]
> Is this still needed, or is it superseded by consolekit yet?
As far as I know, it is still needed for access to devices like sound
and video input (and possibly also floppy, cdrom for burning, etc). I
might be mistaken, though.
If it is needed, pam_group need some setting in
/usr/share/pam-configs/ as well to make it possible to enable it in
/etc/pam.d/ too.
> Given that editing of other packages' config files is still a policy
> violation, whether or not they're conffiles, this isn't going to be
> easy to solve, otherwise - short of not shipping a default
> group.conf at all.
Either that or changing the default to match our needs. I believe our
needs actually match those of any larger installation using Debian,
where adding every user to the groups granting access to local devices
is impossible.
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Thu, 28 Jan 2010 20:03:05 GMT) (full text, mbox, link).
tags 370346 + patch
thanks
Attached is a draft patch to make pam_group a default option for
pam-auto-update. It make pam_group show up like we have used it in
Debian Edu the last few releases as an optional module before pam_unix
and pam_ldap.
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Tue, 02 Feb 2010 13:42:10 GMT) (full text, mbox, link).
Subject: Re: Make etc/security/group.conf automatically configurable
Date: Tue, 2 Feb 2010 14:40:47 +0100
I tested if one of these group memberships were still needed, and was
surprised by the result. I made sure my test user only was a member
of his own group, no cdrom group membership, and started k3b. It
worked, and was able to burn a CD. No idea how the device access was
handled, as none of the binaries involved seem to be sgid or suid.
I then tried audio recording using audacity, but got no sound. Not
sure if this is related to group membership or not, as I had not
tested if this worked with group membership before I tested without
it.
I lack the equipment to test access to video and floppy devices, so I
can not test that part.
Further testing is needed to figure out if the group pam module is
still needed or not, but the k3b test gave me hope that it might be
dropped from Debian Edu in the future.
Btw, shipping the pam package without the group.conf file is probably
a good idea anyway, as the file is already empty if all the comments
are removed. :)
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Mon, 22 Mar 2010 10:51:26 GMT) (full text, mbox, link).
Subject: Re: Make etc/security/group.conf automatically configurable
Date: Mon, 22 Mar 2010 11:43:18 +0100
I have tested some more, and discovered that LTSP thin clients still
need group membership assigned at login time to get local device
mounting working. The LTSP thin client users need to be members of
the fuse group when they log in.
Using the patch I proposed solve the issue. Because of this, I urge
you to include the pam_group support.
I've asked the LTSP developer to implement support for
consolekit/policykit, but believe Vagrant will need help with this.
See #574516 for information about the LTSP issue.
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Wed, 28 Apr 2010 07:18:04 GMT) (full text, mbox, link).
Subject: Re: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Wed, 28 Apr 2010 09:14:58 +0200
[Petter Reinholdtsen]
> diff -urN pam-1.1.0/debian/pam-configs/group pam-1.1.0-pere/debian/pam-configs/group
> --- pam-1.1.0/debian/pam-configs/group 1970-01-01 01:00:00.000000000 +0100
> +++ pam-1.1.0-pere/debian/pam-configs/group 2010-01-28 20:51:57.000000000 +0100
> @@ -0,0 +1,6 @@
> +Name: Group membership granted at login
> +Default: yes
> +Priority: 257
> +Auth-Type: Primary
> +Auth:
> + optional pam_group.so
I just tested this patch with libpam-heimdal with priority 704, and to
make sure pam_group is inserted before this one, the priority should
be changed to a higher number. I propose 800, and here is the patch
to implement it:
diff -urN pam-1.1.0/debian/pam-configs/group pam-1.1.0-pere/debian/pam-configs/group
--- pam-1.1.0/debian/pam-configs/group 1970-01-01 01:00:00.000000000 +0100
+++ pam-1.1.0-pere/debian/pam-configs/group 2010-01-28 20:51:57.000000000 +0100
@@ -0,0 +1,6 @@
+Name: Group membership granted at login
+Default: yes
+Priority: 800
+Auth-Type: Primary
+Auth:
+ optional pam_group.so
The libpam-ldapd priority is 128 while the libpam-heimdal one is 704.
Any idea why they are so different? the ldap module is inserted after
pam_unix, while the heimdal one is inserted before it. Not sure if it
make sense to insert them at different places in the sequence.
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Petter Reinholdtsen <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Wed, 28 Apr 2010 17:21:03 GMT) (full text, mbox, link).
Subject: Re: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Wed, 28 Apr 2010 19:19:28 +0200
[Petter Reinholdtsen]
> I just tested this patch with libpam-heimdal with priority 704, and
> to make sure pam_group is inserted before this one, the priority
> should be changed to a higher number. I propose 800, and here is
> the patch to implement it:
After talking to Steve Langasek about priorities, it became clear that
the problem is not the priority, but the type. The type should be
Additional and not Primary, to make sure it is always used. This
entry is tested and found to work:
Name: Group membership granted at login
Default: yes
Priority: 0
Auth-Type: Additional
Auth:
optional pam_group.so
Happy hacking,
--
Petter Reinholdtsen
Acknowledgement sent
to Paul van der Vlis <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>.
(Thu, 05 Apr 2012 18:03:03 GMT) (full text, mbox, link).
Subject: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Thu, 05 Apr 2012 19:55:30 +0200
Would be nice if this could be implemented for Wheezy.
Seems not so much work, only creating a file
/usr/share/pam-configs/group . I've tested that on Squeeze and it works
fine (you need to run "pam-auth-update").
Important is, that there are no spaces at the beginning of the lines:
----------
Name: Group membership granted at login
Default: yes
Priority: 0
Auth-Type: Additional
Auth:
optional pam_group.so
----------
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
Subject: Re: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Thu, 04 Jun 2020 06:58:15 +0000
I recently came into the same issue while setting up a client in an active directory realm. Granting local groups (typically, dialout group which is needed to access serial port) from a set of active directory groups is the most convenient way i found to gives specific users such access (mapping the local groups in the ad is not possible, due to gid issues which may not be consistent accross clients).
Is there any reason the /usr/shar/pam-configs/group file is not part of the distribution ? My understanding is that it does no harm (disabled by default), and would allow easier activation via pam-auth-update.
Last thing to note, when using gdm you also have to enable pam_group in systemd-user (see #851243).
Regards,
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.