On Fri, Oct 07, 2005 at 06:47:02PM +0200, Christian Perrier wrote: > (Steve CC'ed as I'm unsure that [EMAIL PROTECTED] will reach you otherwise)
Correct, it wouldn't. > In a desperate attempt to deal with #166718, #212452, #233894, > #239006, #240707 all requesting the very same thing with different > wording, I tried to use pam_group to see whether it can achieve what's > requested in these bugs (basically, give access to some groups to > "console" users). > [EMAIL PROTECTED]:~/tmp/mutt> who > root tty1 Oct 7 17:31 > bubulle :0 Oct 7 18:33 > spongebo :1 Oct 7 18:33 > (Yes, I run two displays on my laptop, bubulle being logged on one and > spongebob on another one and, yes, I'm a Sponge Bob fan) > However, while it works fairly well for users logged on tty terminal, > I can't manage to get this working for X users. Hah! Thanks for testing this; I was just looking over the pam_group code the other day while preparing to get Debian PAM patch 012 integrated upstream, and I had reached the conclusion that it couldn't actually work for X users... :) > 1) is using pam_group a completely silly solution which will never be > implemented by default because of limitations mentioned in the PAM doc > (users can compile a setgid binary and have it run a shell so that > they get access to the group even when they're not on the authorized > terminal) ? Yes, pam_group should never be part of the default PAM config because of the mentioned security holes, and users should be discouraged from using it. A user should either be part of the group or not be part of the group; using pam_group is equivalent to saying that the user is part of the group. Now, as long as the admin *understands* this (which is fairly rare), and is just using pam_group as shorthand for saying "all users that have physical access to the machine have access to this group", then it's not a security hole. And since we do still ship pam_group in Debian (and upstream), we might as well fix the bugs that keep it from working for X. > 2) do I use the right syntax in /etc/security/group.conf? Obviously > not, but what is then the right syntax? :-) Just to be sure, can you change your config to look like either this *;tty*&!ttyp*;*;Al0000-2400;audio cdrom floppy games plugdev video *;:0;*;Al0000-2400;audio cdrom floppy games plugdev video or this *;tty*&!ttyp*|:0;*;Al0000-2400;audio cdrom floppy games plugdev video ? I think you do have an error in your config, because no tty name can ever simultaneously satisfy the constraints "tty*", "!ttyp*", and ":0". But I also think that it still won't work after you fix this, due to the bug in the pam_group patch. If you still don't get the groups you're expecting on :0, I can put together an updated patch for pam_groups which I'd appreciate it if you could test. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
