Bug#851243: libpam-systemd: pam_systemd does not catch supplementary groups from pam_group

Juha Erkkilä Juha.Erkkila at opinsys.fi
Fri Jan 13 09:33:43 GMT 2017 

Package: libpam-systemd
Version: 232-8
Severity: normal

Dear Maintainer,

pam_group.so provides a mechanism to add users to supplementary groups
via configurations from /etc/security/group.conf.  This mechanism
works only partially to user desktop processes when logging in through
gdm.  It may not be that systemd is here to blame, but my suspicion
is that the systemd user instance is the most relevant component here.

To reproduce, install recent Debian Stretch with GDM and Gnome desktop.
Configure pam_group.so active by adding the following line to
/etc/pam.d/common-auth (as the last line):

auth	optional	pam_group.so

Then configure pam_group to add users to "dialout"-group (any other
group should be fine, as long as user does not belong to that group
through any other mechanism).  Add the following lines to
/etc/security/group.conf:

gdm-password;*;*;Al0000-2400;dialout
sshd;*;*;Al0000-2400;dialout

The "sshd" line is here only for comparative testing to verify that
pam_group works correctly.  When logging in through ssh, the user logging
in should now have the "dialout"-group as one supplementary group,
which can be verified like this:

opinsys at the-best:~$ groups
opinsys cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner
opinsys at the-best:~$ ssh opinsys at localhost groups
opinsys at localhost's password: 
opinsys dialout cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner

However, when logging in through gdm, only some of the processes belong
to the "dialout"-group.  To reproduce, login to Gnome desktop through
gdm, and then start up a gnome-terminal through Alt+F2 and writing
"gnome-terminal".  Also start up an xterm from the terminal.  Start up
another xterm by writing Alt+F2 + "xterm".  Now the situation is strange,
because "gnome-terminal", and the "xterm" do *not* have "dialout" as
a supplementary group, but the "xterm" that was started through Alt+F2
actually has!  See the situation through "ps":

opinsys at the-best:~$ getent group dialout
dialout:x:20:
opinsys at the-best:~$ ps -U $USER -o comm,pid,ppid,supgid
COMMAND           PID  PPID SUPGID
systemd          1111     1 24,25,29,30,44,46,108,114,115,119,1000
(sd-pam)         1112  1111 -
dbus-daemon      1129  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfsd            1212  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfsd-fuse       1217  1111 24,25,29,30,44,46,108,114,115,119,1000
pulseaudio       1233     1 24,25,29,30,44,46,108,114,115,119,1000
gnome-shell-cal  1241  1111 24,25,29,30,44,46,108,114,115,119,1000
evolution-sourc  1248  1111 24,25,29,30,44,46,108,114,115,119,1000
mission-control  1256  1111 24,25,29,30,44,46,108,114,115,119,1000
goa-daemon       1259  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfs-udisks2-vo  1260  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfs-mtp-volume  1277  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfs-afc-volume  1281  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfs-gphoto2-vo  1286  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfs-goa-volume  1290  1111 24,25,29,30,44,46,108,114,115,119,1000
goa-identity-se  1300  1111 24,25,29,30,44,46,108,114,115,119,1000
evolution-calen  1328  1111 24,25,29,30,44,46,108,114,115,119,1000
tracker-store    1355  1111 24,25,29,30,44,46,108,114,115,119,1000
evolution-calen  1390  1328 24,25,29,30,44,46,108,114,115,119,1000
dconf-service    1398  1111 24,25,29,30,44,46,108,114,115,119,1000
evolution-calen  1402  1328 24,25,29,30,44,46,108,114,115,119,1000
evolution-addre  1427  1111 24,25,29,30,44,46,108,114,115,119,1000
evolution-addre  1438  1427 24,25,29,30,44,46,108,114,115,119,1000
gvfsd-trash      1525  1111 24,25,29,30,44,46,108,114,115,119,1000
gconfd-2         1558  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfsd-burn       1614  1111 24,25,29,30,44,46,108,114,115,119,1000
gvfsd-metadata   1645  1111 24,25,29,30,44,46,108,114,115,119,1000
gnome-keyring-d 11391     1 20,24,25,29,30,44,46,108,114,115,119,1000
gdm-x-session   11394 11386 20,24,25,29,30,44,46,108,114,115,119,1000
Xorg            11396 11394 20,24,25,29,30,44,46,108,114,115,119,1000
gnome-session-b 11403 11394 20,24,25,29,30,44,46,108,114,115,119,1000
xbrlapi         11439 11403 20,24,25,29,30,44,46,108,114,115,119,1000
at-spi-bus-laun 11456  1111 24,25,29,30,44,46,108,114,115,119,1000
dbus-daemon     11461 11456 24,25,29,30,44,46,108,114,115,119,1000
at-spi2-registr 11463  1111 24,25,29,30,44,46,108,114,115,119,1000
gnome-shell     11480 11403 20,24,25,29,30,44,46,108,114,115,119,1000
gnome-settings- 11498 11403 20,24,25,29,30,44,46,108,114,115,119,1000
gnome-software  11515 11403 20,24,25,29,30,44,46,108,114,115,119,1000
tracker-extract 11516 11403 20,24,25,29,30,44,46,108,114,115,119,1000
tracker-miner-a 11518 11403 20,24,25,29,30,44,46,108,114,115,119,1000
tracker-miner-u 11519 11403 20,24,25,29,30,44,46,108,114,115,119,1000
evolution-alarm 11523 11403 20,24,25,29,30,44,46,108,114,115,119,1000
tracker-miner-f 11539 11403 20,24,25,29,30,44,46,108,114,115,119,1000
gsd-printer     11564     1 20,24,25,29,30,44,46,108,114,115,119,1000
gnome-terminal- 11606  1111 24,25,29,30,44,46,108,114,115,119,1000
bash            11612 11606 24,25,29,30,44,46,108,114,115,119,1000
xterm           11769 11612 24,25,29,30,44,46,108,114,115,119,1000
bash            11771 11769 24,25,29,30,44,46,108,114,115,119,1000
xterm           11778 11480 20,24,25,29,30,44,46,108,114,115,119,1000
bash            11780 11778 20,24,25,29,30,44,46,108,114,115,119,1000
sh              11785 11612 24,25,29,30,44,46,108,114,115,119,1000
tee             11786 11612 24,25,29,30,44,46,108,114,115,119,1000
ps              11787 11785 24,25,29,30,44,46,108,114,115,119,1000

Here, the processes "systemd", "pulseaudio" and their descendants
are lacking the "dialout" (20) group, but "gnome-keyring-daemon",
"gdm-x-session" and some others do have it.  See also the "xterm"
groups.

This should not be, I think the groups set up by pam_group.so
should be effective for *all* user processes.

This bug is not Gnome-session dependent, I could reproduce the issue also
with the "i3" window manager.  I do not think pam_group is here to blame.
It might be an issue with gdm, through, but, because the "systemd"
user instance did not catch the groups, the problem is somewhere there.

I found one bug report which appears to be on the
same issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756458
However, I suspect it may be a configuration error, because
the service rule in /etc/security/group.conf does not match
what gdm currently uses.

Juha

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-systemd depends on:
ii  dbus            1.10.14-1
ii  libc6           2.24-8
ii  libpam-runtime  1.1.8-3.4
ii  libpam0g        1.1.8-3.4
ii  libselinux1     2.6-3
ii  systemd         232-8
ii  systemd-sysv    232-8

libpam-systemd recommends no packages.

libpam-systemd suggests no packages.

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list