[Pkg-shadow-devel] Bug#166718: Using pam_group to give access to
"useful" groups?
Christian Perrier
bubulle at debian.org
Fri Oct 7 16:47:02 UTC 2005
(Steve CC'ed as I'm unsure that libpam-runtime at p.d.o will reach you otherwise)
In a desperate attempt to deal with #166718, #212452, #233894,
#239006, #240707 all requesting the very same thing with different
wording, I tried to use pam_group to see whether it can achieve what's
requested in these bugs (basically, give access to some groups to
"console" users).
I added the following in /etc/pam.d/common-auth:
(just to make it simple, actually)
auth optional pam_group.so
Then in /etc/security/group.conf:
# Useful groups for console users
*;tty*&!ttyp*&:0;*;Al0000-2400;audio cdrom floppy games plugdev video
The ":0" is here to give access to users logged through a display
manager such as gdm/kdm/xdm:
bubulle at mykerinos:~/tmp/mutt> who
root tty1 Oct 7 17:31
bubulle :0 Oct 7 18:33
spongebo :1 Oct 7 18:33
(Yes, I run two displays on my laptop, bubulle being logged on one and
spongebob on another one and, yes, I'm a Sponge Bob fan)
However, while it works fairly well for users logged on tty terminal,
I can't manage to get this working for X users.
So, a few questions I have:
1) is using pam_group a completely silly solution which will never be
implemented by default because of limitations mentioned in the PAM doc
(users can compile a setgid binary and have it run a shell so that
they get access to the group even when they're not on the authorized
terminal) ?
2) do I use the right syntax in /etc/security/group.conf? Obviously
not, but what is then the right syntax? :-)
More information about the Pkg-shadow-devel
mailing list