pam_group vs. multiple group lines

Scott, Brian Brian.Scott at
Tue Aug 21 17:08:37 PDT 2007



It looks like pam was stopping at the first matching line as you would
expect from the man page for the group file. If there is a bug it is in
the more liberal interpretation by other software.

-----Original Message-----
From: owner-freebsd-stable at
[mailto:owner-freebsd-stable at] On Behalf Of Ulrich Spoerlein
Sent: Wednesday, 22 August 2007 5:51 AM
To: stable at
Subject: pam_group vs. multiple group lines


I think I found a deficiency wrt. to pam_group (which also hits sudo(8)
so this might be libc related instead).

I found this while trying to migrate groups into LDAP, but you don't
need LDAP to reproduce this, simply place the following in /etc/group


% getent group|grep wheel;id
uid=1001(us) gid=1000(us) groups=1000(us),0(wheel),80(www)

As you can see, getent(1) and id(1) work fine. File access also works
like expected, except for su(8) (because of pam_group group=wheel in

% su -
su: Sorry

Combine the wheel entries back into one line and su(8) suddenly starts
working again. Same problem hits sudo(8) if your are using a %wheel
line. Since there is no pam.d/sudo on my system I think the bug probably
lies in libc itself.

Is this expected behaviour? I'd classify it as bug ...

Ulrich Spoerlein
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
freebsd-stable at mailing list
To unsubscribe, send any mail to
"freebsd-stable-unsubscribe at"
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.

More information about the freebsd-stable mailing list