[Pkg-shadow-devel] Bug#166718: Using pam_group to give access to "useful" groups?

[Christian Perrier]

(Steve CC'ed as I'm unsure that libpam-runtime at p.d.o will reach you otherwise)

In a desperate attempt to deal with #166718, #212452, #233894,
#239006, #240707 all requesting the very same thing with different
wording, I tried to use pam_group to see whether it can achieve what's
requested in these bugs (basically, give access to some groups to
"console" users).

I added the following in /etc/pam.d/common-auth:
(just to make it simple, actually)

auth       optional   pam_group.so

Then in /etc/security/group.conf:

# Useful groups for console users
*;tty*&!ttyp*&:0;*;Al0000-2400;audio cdrom floppy games plugdev video

The ":0" is here to give access to users logged through a display
manager such as gdm/kdm/xdm:


bubulle at mykerinos:~/tmp/mutt> who
root     tty1         Oct  7 17:31
bubulle  :0           Oct  7 18:33
spongebo :1           Oct  7 18:33

(Yes, I run two displays on my laptop, bubulle being logged on one and
spongebob on another one and, yes, I'm a Sponge Bob fan)

However, while it works fairly well for users logged on tty terminal,
I can't manage to get this working for X users.

So, a few questions I have:

1) is using pam_group a completely silly solution which will never be
implemented by default because of limitations mentioned in the PAM doc
(users can compile a setgid binary and have it run a shell so that
they get access to the group even when they're not on the authorized
terminal) ?

2) do I use the right syntax in /etc/security/group.conf? Obviously
not, but what is then the right syntax? :-)