pam_ldap + nss_ldap, su(1), group wheel and pam_group
Lev Serebryakov
lev at FreeBSD.org
Tue May 31 08:12:40 UTC 2011
Hello, Freebsd-security.
What is proper way to mix pam_ldap/nss_ldap (no users but root in local
files), su(1) and check for group `wheel'?
"files" source should have precedence over "ldap" in
/etc/nsswitch.conf, for changing user/group by daemons before full
network configuration, and for local "root" has priority over any
LDAP ones.
Group `wheel' should be in /etc/group, because it seems, that it
should be available in any conditions.
But result of this is conflict, when id(1) shows that user is
included into group `wheel' (on LDAP), because `id' uses
getgroups(2), but su(1) refuses user, because it uses getgrnam(3),
which found group "wheel" in /etc/grousp, where user doesn't belong
to group "wheel" :(
Is here any `standard' solution to this problem? I know about
sudo(8), but I affraid, that this inconsistency could bite somewhere
else, and in any case, I want su(1) to work :)
Is here any reasons why pam_group(8) is inconsistent with id(1) in
way to determine ti which groups user belongs?
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-security
mailing list