Debian Bug report logs - #370346
Make etc/security/group.conf automatically configurable

Package: pam; Maintainer for pam is Steve Langasek <vorlon@debian.org>;

Reported by: Luk Claes <luk@debian.org>

Date: Sun, 4 Jun 2006 18:34:14 UTC

Severity: wishlist

Tags: patch

Blocking fix for 311188: debian-edu-config: Messes "programmatically" with conffiles of other packages

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#370346; Package pam. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: submit@bugs.debian.org
Subject: Make etc/security/group.conf automatically configurable
Date: Sun, 04 Jun 2006 20:17:19 +0200
[Message part 1 (text/plain, inline)]
Package: pam
Severity: wishlist

Hi

Automatically configuring etc/security/group.conf is not policy
compliant for the moment as one needs to edit a conffile in the process.

A solution might be to create etc/security/group.conf in the
maintainerscripts so it's no conffile...

Cheers

Luk

-- 
Luk Claes - http://people.debian.org/~luk - GPG key 1024D/9B7C328D
Fingerprint:   D5AF 25FB 316B 53BB 08E7   F999 E544 DE07 9B7C 328D


[signature.asc (application/pgp-signature, inline)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#370346; Package pam. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #10 received at 370346@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Luk Claes <luk@debian.org>, 370346@bugs.debian.org
Subject: Re: Bug#370346: Make etc/security/group.conf automatically configurable
Date: Sun, 4 Jun 2006 14:17:25 -0700
On Sun, Jun 04, 2006 at 08:17:19PM +0200, Luk Claes wrote:
> Package: pam
> Severity: wishlist

> Automatically configuring etc/security/group.conf is not policy
> compliant for the moment as one needs to edit a conffile in the process.

> A solution might be to create etc/security/group.conf in the
> maintainerscripts so it's no conffile...

Why is automatic configuration of /etc/security/group.conf needed?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Blocking bugs added: 370319, 370324, 370332, 370337, 370338, 370339, 370340, 370342, 370343, 370344, 370346, 370347, 370348, 370349, 370350, and 370351 Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Blocking bugs removed: 370319, 370324, 370332, 370337, 370338, 370339, 370340, 370342, 370343, 370344, 370346, 370347, 370348, 370349, 370350, 370351, and 370393 Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Blocking bugs added: 370319, 370324, 370332, 370337, 370338, 370339, 370340, 370342, 370343, 370344, 370346, 370347, 370348, 370349, 370350, 370351, and 370393 Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #21 received at 370346@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 370346@bugs.debian.org
Cc: pere@hungry.com, vagrant@freegeek.org
Subject: /etc/security/groups.conf
Date: Sat, 5 Apr 2008 20:11:34 +0200
[Message part 1 (text/plain, inline)]
Hi Steve,

On 4 Jun 2006 (doh!) you wrote: 

>> A solution might be to create etc/security/group.conf in the
>> maintainerscripts so it's no conffile...
> Why is automatic configuration of /etc/security/group.conf needed?

from debian-edu-config/cf/cf.kdm:

  # Set up locally logged in users to get access to local devices
  # Require pam_group in common-auth
  # http://www.die.net/doc/linux/man/man5/group.conf.5.html document
  # the format
    { /etc/security/group.conf
      AppendIfNoSuchLine "*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video,scanner"
      AppendIfNoSuchLine "*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video,scanner"
    }

I believe we do this, to only add the users to those groups, when the
users are logged in on that machine, but I'm not really familar with 
this. Maybe Petter or Vagrant can jump in? ;)

Do we still need this change?


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #26 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: Holger Levsen <holger@layer-acht.org>, 370346@bugs.debian.org, vagrant@freegeek.org
Subject: Re: /etc/security/groups.conf
Date: Sat, 5 Apr 2008 20:27:22 +0200
[Holger Levsen]
> I believe we do this, to only add the users to those groups, when
> the users are logged in on that machine, but I'm not really familar
> with this. Maybe Petter or Vagrant can jump in? ;)
> 
> Do we still need this change?

As far as I know, we still need it, yes.  It provide access to local
devices etc for users in LDAP.

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #31 received at 370346@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 370346@bugs.debian.org
Subject: any news?
Date: Sat, 3 May 2008 13:29:40 +0200
[Message part 1 (text/plain, inline)]
Hi Steve,

the Lenny freeze is approaching fast, any ETA when you will be able to fix 
this bug? We would really love to see it fixed in Lenny... also please shout 
if you need help...


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#370346; Package pam. (Wed, 02 Sep 2009 09:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Wed, 02 Sep 2009 09:09:03 GMT) Full text and rfc822 format available.

Message #36 received at 370346@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Holger Levsen <holger@layer-acht.org>, 370346@bugs.debian.org
Subject: Re: Bug#370346: any news?
Date: Wed, 2 Sep 2009 02:01:43 -0700
[Message part 1 (text/plain, inline)]
On Sat, May 03, 2008 at 01:29:40PM +0200, Holger Levsen wrote:
> the Lenny freeze is approaching fast, any ETA when you will be able to fix 
> this bug? We would really love to see it fixed in Lenny... also please shout 
> if you need help...

Is this still needed, or is it superseded by consolekit yet?

Given that editing of other packages' config files is still a policy
violation, whether or not they're conffiles, this isn't going to be easy to
solve, otherwise - short of not shipping a default group.conf at all.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Mon, 25 Jan 2010 19:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 25 Jan 2010 19:33:03 GMT) Full text and rfc822 format available.

Message #41 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org
Cc: Holger Levsen <holger@layer-acht.org>
Subject: Re: Bug#370346: any news?
Date: Mon, 25 Jan 2010 20:32:07 +0100
[Steve Langasek]
> Is this still needed, or is it superseded by consolekit yet?

As far as I know, it is still needed for access to devices like sound
and video input (and possibly also floppy, cdrom for burning, etc).  I
might be mistaken, though.

If it is needed, pam_group need some setting in
/usr/share/pam-configs/ as well to make it possible to enable it in
/etc/pam.d/ too.

> Given that editing of other packages' config files is still a policy
> violation, whether or not they're conffiles, this isn't going to be
> easy to solve, otherwise - short of not shipping a default
> group.conf at all.

Either that or changing the default to match our needs.  I believe our
needs actually match those of any larger installation using Debian,
where adding every user to the groups granting access to local devices
is impossible.

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Thu, 28 Jan 2010 20:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Thu, 28 Jan 2010 20:03:05 GMT) Full text and rfc822 format available.

Message #46 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org, Holger Levsen <holger@layer-acht.org>
Subject: Re: Bug#370346: any news?
Date: Thu, 28 Jan 2010 20:59:50 +0100
[Message part 1 (text/plain, inline)]
tags 370346 + patch
thanks

Attached is a draft patch to make pam_group a default option for
pam-auto-update.  It make pam_group show up like we have used it in
Debian Edu the last few releases as an optional module before pam_unix
and pam_ldap.

Happy hacking,
-- 
Petter Reinholdtsen
[pam-group.diff (text/plain, attachment)]

Added tag(s) patch. Request was from Petter Reinholdtsen <pere@hungry.com> to control@bugs.debian.org. (Thu, 28 Jan 2010 20:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Tue, 02 Feb 2010 13:42:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Tue, 02 Feb 2010 13:42:10 GMT) Full text and rfc822 format available.

Message #53 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org
Subject: Re: Make etc/security/group.conf automatically configurable
Date: Tue, 2 Feb 2010 14:40:47 +0100
I tested if one of these group memberships were still needed, and was
surprised by the result.  I made sure my test user only was a member
of his own group, no cdrom group membership, and started k3b.  It
worked, and was able to burn a CD.  No idea how the device access was
handled, as none of the binaries involved seem to be sgid or suid.

I then tried audio recording using audacity, but got no sound.  Not
sure if this is related to group membership or not, as I had not
tested if this worked with group membership before I tested without
it.

I lack the equipment to test access to video and floppy devices, so I
can not test that part.

Further testing is needed to figure out if the group pam module is
still needed or not, but the k3b test gave me hope that it might be
dropped from Debian Edu in the future.

Btw, shipping the pam package without the group.conf file is probably
  a good idea anyway, as the file is already empty if all the comments
  are removed. :)

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Mon, 22 Mar 2010 10:51:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 22 Mar 2010 10:51:26 GMT) Full text and rfc822 format available.

Message #58 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org
Subject: Re: Make etc/security/group.conf automatically configurable
Date: Mon, 22 Mar 2010 11:43:18 +0100
I have tested some more, and discovered that LTSP thin clients still
need group membership assigned at login time to get local device
mounting working.  The LTSP thin client users need to be members of
the fuse group when they log in.

Using the patch I proposed solve the issue.  Because of this, I urge
you to include the pam_group support.

I've asked the LTSP developer to implement support for
consolekit/policykit, but believe Vagrant will need help with this.

See #574516 for information about the LTSP issue.

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Wed, 28 Apr 2010 07:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 28 Apr 2010 07:18:04 GMT) Full text and rfc822 format available.

Message #63 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org, Holger Levsen <holger@layer-acht.org>
Subject: Re: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Wed, 28 Apr 2010 09:14:58 +0200
[Petter Reinholdtsen]
> diff -urN pam-1.1.0/debian/pam-configs/group pam-1.1.0-pere/debian/pam-configs/group
> --- pam-1.1.0/debian/pam-configs/group	1970-01-01 01:00:00.000000000 +0100
> +++ pam-1.1.0-pere/debian/pam-configs/group	2010-01-28 20:51:57.000000000 +0100
> @@ -0,0 +1,6 @@
> +Name: Group membership granted at login
> +Default: yes
> +Priority: 257
> +Auth-Type: Primary
> +Auth:
> +	optional			pam_group.so

I just tested this patch with libpam-heimdal with priority 704, and to
make sure pam_group is inserted before this one, the priority should
be changed to a higher number.  I propose 800, and here is the patch
to implement it:

diff -urN pam-1.1.0/debian/pam-configs/group pam-1.1.0-pere/debian/pam-configs/group
--- pam-1.1.0/debian/pam-configs/group	1970-01-01 01:00:00.000000000 +0100
+++ pam-1.1.0-pere/debian/pam-configs/group	2010-01-28 20:51:57.000000000 +0100
@@ -0,0 +1,6 @@
+Name: Group membership granted at login
+Default: yes
+Priority: 800
+Auth-Type: Primary
+Auth:
+	optional			pam_group.so

The libpam-ldapd priority is 128 while the libpam-heimdal one is 704.
Any idea why they are so different?  the ldap module is inserted after
pam_unix, while the heimdal one is inserted before it.  Not sure if it
make sense to insert them at different places in the sequence.

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Wed, 28 Apr 2010 17:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 28 Apr 2010 17:21:03 GMT) Full text and rfc822 format available.

Message #68 received at 370346@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 370346@bugs.debian.org, Holger Levsen <holger@layer-acht.org>
Subject: Re: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Wed, 28 Apr 2010 19:19:28 +0200
[Petter Reinholdtsen]
> I just tested this patch with libpam-heimdal with priority 704, and
> to make sure pam_group is inserted before this one, the priority
> should be changed to a higher number.  I propose 800, and here is
> the patch to implement it:

After talking to Steve Langasek about priorities, it became clear that
the problem is not the priority, but the type.  The type should be
Additional and not Primary, to make sure it is always used.  This
entry is tested and found to work:

  Name: Group membership granted at login
  Default: yes
  Priority: 0
  Auth-Type: Additional
  Auth:
        optional                        pam_group.so

Happy hacking,
-- 
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#370346; Package pam. (Thu, 05 Apr 2012 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul van der Vlis <paul@vandervlis.nl>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Thu, 05 Apr 2012 18:03:03 GMT) Full text and rfc822 format available.

Message #73 received at 370346@bugs.debian.org (full text, mbox):

From: Paul van der Vlis <paul@vandervlis.nl>
To: 370346@bugs.debian.org
Subject: Bug#370346: Update for pam_group patch for pam-auth-config
Date: Thu, 05 Apr 2012 19:55:30 +0200
Would be nice if this could be implemented for Wheezy.

Seems not so much work, only creating a file
/usr/share/pam-configs/group . I've tested that on Squeeze and it works
fine (you need to run "pam-auth-update").

Important is, that there are no spaces at the beginning of the lines:
----------
Name: Group membership granted at login
Default: yes
Priority: 0
Auth-Type: Additional
Auth:
      optional                        pam_group.so
----------

With regards,
Paul van der Vlis.



-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:58:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.