pam_group vs. multiple group lines

Ulrich Spoerlein uspoerlein at
Tue Aug 21 13:18:12 PDT 2007


I think I found a deficiency wrt. to pam_group (which also hits sudo(8)
so this might be libc related instead).

I found this while trying to migrate groups into LDAP, but you don't
need LDAP to reproduce this, simply place the following in /etc/group


% getent group|grep wheel;id
uid=1001(us) gid=1000(us) groups=1000(us),0(wheel),80(www)

As you can see, getent(1) and id(1) work fine. File access also works
like expected, except for su(8) (because of pam_group group=wheel in

% su -
su: Sorry

Combine the wheel entries back into one line and su(8) suddenly starts
working again. Same problem hits sudo(8) if your are using a %wheel
line. Since there is no pam.d/sudo on my system I think the bug probably
lies in libc itself.

Is this expected behaviour? I'd classify it as bug ...

Ulrich Spoerlein
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.

More information about the freebsd-stable mailing list