Bug#851243: libpam-systemd: pam_systemd does not catch supplementary groups from pam_group

Fri Jan 13 16:10:56 GMT 2017

Am 13.01.2017 um 10:33 schrieb Juha Erkkilä:
> Package: libpam-systemd
> Version: 232-8
> Severity: normal
> 
> Dear Maintainer,
> 
> pam_group.so provides a mechanism to add users to supplementary groups
> via configurations from /etc/security/group.conf.  This mechanism
> works only partially to user desktop processes when logging in through
> gdm.  It may not be that systemd is here to blame, but my suspicion
> is that the systemd user instance is the most relevant component here.
> 
> To reproduce, install recent Debian Stretch with GDM and Gnome desktop.
> Configure pam_group.so active by adding the following line to
> /etc/pam.d/common-auth (as the last line):
> 
> auth	optional	pam_group.so

..

> However, when logging in through gdm, only some of the processes belong
> to the "dialout"-group.  To reproduce, login to Gnome desktop through
> gdm, and then start up a gnome-terminal through Alt+F2 and writing
> "gnome-terminal".  Also start up an xterm from the terminal.  Start up
> another xterm by writing Alt+F2 + "xterm".  Now the situation is strange,
> because "gnome-terminal", and the "xterm" do *not* have "dialout" as
> a supplementary group, but the "xterm" that was started through Alt+F2
> actually has!

gnome-terminal uses a systemd --user service which uses
/etc/pam.d/systemd-user
As you can see, this pam module does not include common-auth.
If you add pam_group to /etc/pam.d/systemd-user I suspect it would work.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20170113/01dc3827/attachment-0002.sig>