pam_group vs. multiple group lines
Ulrich Spoerlein
uspoerlein at gmail.com
Tue Aug 21 13:18:12 PDT 2007
Hi,
I think I found a deficiency wrt. to pam_group (which also hits sudo(8)
so this might be libc related instead).
I found this while trying to migrate groups into LDAP, but you don't
need LDAP to reproduce this, simply place the following in /etc/group
wheel:*:0:root
wheel:*:0:us
% getent group|grep wheel;id
wheel:*:0:root
wheel:*:0:us
uid=1001(us) gid=1000(us) groups=1000(us),0(wheel),80(www)
As you can see, getent(1) and id(1) work fine. File access also works
like expected, except for su(8) (because of pam_group group=wheel in
pam.d/su)
% su -
su: Sorry
Combine the wheel entries back into one line and su(8) suddenly starts
working again. Same problem hits sudo(8) if your are using a %wheel
line. Since there is no pam.d/sudo on my system I think the bug probably
lies in libc itself.
Is this expected behaviour? I'd classify it as bug ...
Cheers,
Ulrich Spoerlein
--
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
More information about the freebsd-stable
mailing list