[Pkg-shadow-devel] Bug#166718: Using pam_group to give access to "useful" groups?

Fri Oct 7 22:42:41 UTC 2005

On Fri, Oct 07, 2005 at 06:47:02PM +0200, Christian Perrier wrote:
> (Steve CC'ed as I'm unsure that libpam-runtime at p.d.o will reach you otherwise)

Correct, it wouldn't.

> In a desperate attempt to deal with #166718, #212452, #233894,
> #239006, #240707 all requesting the very same thing with different
> wording, I tried to use pam_group to see whether it can achieve what's
> requested in these bugs (basically, give access to some groups to
> "console" users).

> bubulle at mykerinos:~/tmp/mutt> who
> root     tty1         Oct  7 17:31
> bubulle  :0           Oct  7 18:33
> spongebo :1           Oct  7 18:33

> (Yes, I run two displays on my laptop, bubulle being logged on one and
> spongebob on another one and, yes, I'm a Sponge Bob fan)

> However, while it works fairly well for users logged on tty terminal,
> I can't manage to get this working for X users.

Hah!  Thanks for testing this; I was just looking over the pam_group code
the other day while preparing to get Debian PAM patch 012 integrated
upstream, and I had reached the conclusion that it couldn't actually work
for X users... :)

> 1) is using pam_group a completely silly solution which will never be
> implemented by default because of limitations mentioned in the PAM doc
> (users can compile a setgid binary and have it run a shell so that
> they get access to the group even when they're not on the authorized
> terminal) ?

Yes, pam_group should never be part of the default PAM config because of
the mentioned security holes, and users should be discouraged from using it.
A user should either be part of the group or not be part of the group; using
pam_group is equivalent to saying that the user is part of the group.

Now, as long as the admin *understands* this (which is fairly rare), and is
just using pam_group as shorthand for saying "all users that have physical
access to the machine have access to this group", then it's not a security
hole.  And since we do still ship pam_group in Debian (and upstream), we
might as well fix the bugs that keep it from working for X.

> 2) do I use the right syntax in /etc/security/group.conf? Obviously
> not, but what is then the right syntax? :-)

Just to be sure, can you change your config to look like either this

 *;tty*&!ttyp*;*;Al0000-2400;audio cdrom floppy games plugdev video
 *;:0;*;Al0000-2400;audio cdrom floppy games plugdev video

or this

 *;tty*&!ttyp*|:0;*;Al0000-2400;audio cdrom floppy games plugdev video

?  I think you do have an error in your config, because no tty name can ever
simultaneously satisfy the constraints "tty*", "!ttyp*", and ":0".  But I
also think that it still won't work after you fix this, due to the bug in
the pam_group patch.  If you still don't get the groups you're expecting on
:0, I can put together an updated patch for pam_groups which I'd appreciate
it if you could test.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20051007/204ec8cd/attachment.pgp