pam_group.so is not evaluated by gnome-terminal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| systemd |
Fix Released
|
Undecided
|
Unassigned | |
| systemd (Ubuntu) |
Medium
|
Dariusz Gadomski | ||
| Xenial |
Undecided
|
Unassigned | ||
| Bionic |
Medium
|
Dariusz Gadomski | ||
| Cosmic |
Undecided
|
Unassigned | ||
| Eoan |
Medium
|
Dariusz Gadomski | ||
| Focal |
Medium
|
Dariusz Gadomski |
Bug Description
[Impact]
pam_setcred call was missing in systemd making its implementation of the PAM protocol incomplete. It could manifest in different ways, but one particularly problematic for enterprise environments was the fact that
processes were never getting group membership they were expected to get via pam_group module.
[Test Case]
* Add a /etc/security/
*;*;
* Add pam_group to your PAM stack, e.g. /etc/pam.
* Login to the system and launch gnome-terminal (it will be launched via gnome-terminal-
Expected result:
Logged in user is a member of 'dialout' and 'users' groups.
Actual result:
no group membership gained from pam_group.
[Regression Potential]
* It introduces a new PAM warning message in some scenarios (e.g. for systemd DynamicUser=1 units) for users that can't authenticate (pam_setcred fails in such case).
* In certain systems user group membership may be extended by pam_group.
[Other Info]
Original bug description:
We are using Ubuntu in a university network with lots of ldap users. To automatically map ldap users/groups to local groups we are using pam_group.so. This has worked for years.
With the upgrade from Xenial to Bionic /etc/security/
According to https:/
Nevertheless this behavior is very unexpected when upgrading from Xenial to Bionic and therefore should at least added to the changelog.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnome-terminal 3.28.0-1ubuntu1
ProcVersionSign
Uname: Linux 4.15.0-10-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.9-0ubuntu4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 9 13:17:52 2018
InstallationDate: Installed on 2018-03-29 (11 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180321)
SourcePackage: gnome-terminal
UpgradeStatus: No upgrade log present (probably fresh install)
mtemp (mtemp) wrote : | #1 |
Chadarius (csutton-chadarius) wrote : | #2 |
Chadarius (csutton-chadarius) wrote : | #3 |
There is also a Gnome bug for this at https:/
Launchpad Janitor (janitor) wrote : | #4 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in gnome-terminal (Ubuntu): | |
status: | New → Confirmed |
Dariusz Gadomski (dgadomski) wrote : | #5 |
According to my tests GDM works as expected - checking groups the user belongs to on different terminal emulators (e.g. xterm) proves that the /etc/security/
The problem in this case affects gnome-terminal alone (and the problem is present also if using e.g. LightDM instead of GDM).
This is related to the way gnome-terminal-
The issue is reported to systemd along with a PR fixing it:
https:/
affects: | gnome-terminal → systemd |
Changed in gnome-terminal (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in systemd: | |
status: | Unknown → New |
no longer affects: | gnome-terminal (Ubuntu Bionic) |
no longer affects: | gnome-terminal (Ubuntu Cosmic) |
Steve Langasek (vorlon) wrote : | #6 |
pam_group is a historical curiosity. While we should continue to ship it in pam for compatibility with existing configurations, there is no good reason to use it in a new deployment, and we should not consider incompatibility with pam_group to itself be a reason to change the behavior of a pam application.
Static group memberships should be expressed through NSS, not through pam_group, so that the system has a consistent view of the memberships. This includes group memberships at large LDAP installations. You may want to be using sssd for this.
pam_group's support for dynamic group assignments (time-of-day, etc) is inherently flawed, because there is no support for runtime revocation of group membership of Unix processes, and there is no associated service to reap processes with out-of-policy group memberships. pam_group's dynamic group assignments should be considered entirely superseded by logind.
I believe the behavior of calling pam_setcred() from a pam application that has not first called pam_authenticate() is undefined, so I don't think this is a good general solution for applications aside from pam_group.
So I'm closing this bug as wontfix unless a clearer rationale for this change presents itself.
Changed in systemd (Ubuntu Bionic): | |
status: | New → Won't Fix |
Changed in systemd (Ubuntu): | |
status: | New → Invalid |
status: | Invalid → Won't Fix |
Changed in systemd (Ubuntu Cosmic): | |
status: | New → Won't Fix |
no longer affects: | gnome-terminal (Ubuntu Xenial) |
Dariusz Gadomski (dgadomski) wrote : | #7 |
This issue has been fixed upstream, I believe it makes sense to also have it in Ubuntu.
Changed in systemd (Ubuntu Bionic): | |
status: | Won't Fix → In Progress |
Changed in systemd (Ubuntu): | |
status: | Won't Fix → In Progress |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Changed in systemd (Ubuntu Bionic): | |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Changed in systemd (Ubuntu Eoan): | |
status: | New → In Progress |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Dariusz Gadomski (dgadomski) wrote : | #8 |
SRU proposal for Focal (upstream backport).
Dariusz Gadomski (dgadomski) wrote : | #9 |
Please hold on with uploading until https:/
no longer affects: | gnome-terminal (Ubuntu) |
Dariusz Gadomski (dgadomski) wrote : | #10 |
SRU proposal for focal.
Upstream regression has been resolved and the fix is integrated in the patch.
no longer affects: | gnome-terminal (Ubuntu Eoan) |
Changed in systemd (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in systemd (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in systemd (Ubuntu Bionic): | |
importance: | Undecided → Medium |
description: | updated |
Dariusz Gadomski (dgadomski) wrote : | #11 |
SRU proposal for bionic.
Dariusz Gadomski (dgadomski) wrote : | #13 |
SRU proposal for eoan (patches split)
Dariusz Gadomski (dgadomski) wrote : | #14 |
SRU proposal for bionic (patches split)
tags: | added: sts sts-sponsor-ddstreet |
tags: | added: ddstreet-next |
Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package systemd - 244.1-0ubuntu2
---------------
systemd (244.1-0ubuntu2) focal; urgency=medium
[ Dimitri John Ledkov ]
* shutdown: do not detach autoclear loopback devices
Author: Dimitri John Ledkov
File: debian/
https:/
[ Balint Reczey ]
* Revert upstream commit breaking IPv4 DHCP in LXC containers in 244.1
(LP: #1857123)
File: debian/
https:/
systemd (244.1-0ubuntu1) focal; urgency=medium
* New upstream version 244.1
- network: set ipv6 mtu after link-up or device mtu change (LP: #1671951)
- & other changes
* Refresh patches.
- Dropped changes:
* d/p/lp-1853852-*: fix issues with muliplexed shmat calls (LP: #1853852)
Files:
- debian/
- debian/
https:/
* d/p/lp1671951-
set ipv6 mtu at correct time
* pstore: Don't start systemd-
Usually it is not useful and can also fail making
boot-
File: debian/
https:/
* Revert: network: do not drop foreign config if interface is in initialized state.
This fixes FTBFS with the other network-related reverts.
File: debian/
https:/
systemd (244-3ubuntu5) focal; urgency=medium
[ Dariusz Gadomski ]
* d/p/lp1762391/
d/p/
d/p/
d/p/
d/p/
d/p/
- Restore call to pam_setcred (LP: #1762391)
[ Dan Streetman ]
* d/t/storage: without scsi_debug, skip test (LP: #1847816)
systemd (244-3ubuntu4) focal; urgency=medium
* d/p/lp1671951-
set ipv6 mtu at correct time (LP: #1671951)
* d/p/0001-
d/p/
Changed in systemd (Ubuntu Focal): | |
status: | In Progress → Fix Released |
Dariusz Gadomski (dgadomski) wrote : | #16 |
systemd in Xenial differs to much to cleanly apply the upstream fix. It would require reimplementing it and may be more risky than useful.
Marking Won't fix.
Changed in systemd (Ubuntu Xenial): | |
status: | New → Won't Fix |
Hello mtemp, or anyone else affected,
Accepted systemd into eoan-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in systemd (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed verification-needed-eoan |
Steve Langasek (vorlon) wrote : | #18 |
Hello mtemp, or anyone else affected,
Accepted systemd into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in systemd (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed-bionic |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/237-3ubuntu10.34) | #19 |
All autopkgtests for the newly accepted systemd (237-3ubuntu10.34) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:
php7.2/
openssh/
dovecot/
gvfs/1.
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
All autopkgtests for the newly accepted systemd (242-7ubuntu3.3) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:
samba/2:
netplan.
gnome-desktop3/
systemd/
munin/2.
bolt/0.8-4 (armhf)
umockdev/0.13.2-1 (armhf)
openssh/
linux-oem-
multipath-
knot-resolver/
lxc/3.0.4-0ubuntu1 (amd64, ppc64el, i386)
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Dariusz Gadomski (dgadomski) wrote : | #21 |
I have just verified bionic. With version 237-3ubuntu10.34 after replaying test case from the description I see the groups from /etc/security/
ubuntu@bionic:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin sambashare vboxsf
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
Dariusz Gadomski (dgadomski) wrote : | #22 |
With identical setup and testcase for eoan I have managed to successfully verify the patch with version 242-7ubuntu3.3:
ubuntu@eoan:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin lxd sambashare
ubuntu@eoan:~$
tags: |
added: verification-done-eoan removed: verification-needed-eoan |
tags: |
added: verification-done removed: verification-needed |
Dimitri John Ledkov (xnox) wrote : | #23 |
This SRU needs to be reuploaded, due to security update that trumped this in progress SRU.
Changed in systemd (Ubuntu Bionic): | |
status: | Fix Committed → In Progress |
Changed in systemd (Ubuntu Eoan): | |
status: | Fix Committed → In Progress |
tags: |
added: verification-failed verification-failed-bionic verification-failed-eoan removed: verification-done verification-done-bionic verification-done-eoan |
Hello mtemp, or anyone else affected,
Accepted systemd into eoan-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in systemd (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-needed verification-needed-eoan removed: verification-failed verification-failed-eoan |
Changed in systemd (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-needed-bionic removed: verification-failed-bionic |
Steve Langasek (vorlon) wrote : | #25 |
Hello mtemp, or anyone else affected,
Accepted systemd into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/237-3ubuntu10.39) | #26 |
All autopkgtests for the newly accepted systemd (237-3ubuntu10.39) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:
php7.2/
gvfs/1.
lxc/3.0.
systemd/
netplan.
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
All autopkgtests for the newly accepted systemd (242-7ubuntu3.7) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:
remctl/3.15-1build2 (armhf)
systemd-
netplan.
systemd/
sks/unknown (armhf)
munin/2.
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Dariusz Gadomski (dgadomski) wrote : | #28 |
I have repeated verification for eoan (242-7ubuntu3.7) with identical results.
ubuntu@eoan:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin lxd sambashare
Dariusz Gadomski (dgadomski) wrote : | #29 |
Similarly for bionic using version 237-3ubuntu10.39 verification was also successsful:
ubuntu@bionic:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin sambashare vboxsf
tags: |
added: verification-done verification-done-bionic verification-done-eoan removed: verification-needed verification-needed-bionic verification-needed-eoan |
The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #31 |
This bug was fixed in the package systemd - 242-7ubuntu3.7
---------------
systemd (242-7ubuntu3.7) eoan; urgency=medium
[ Dariusz Gadomski ]
* d/p/lp1762391/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
- Restore call to pam_setcred (LP: #1762391)
* d/p/lp1846232/
d/p/
- do not always bump MTU with additional 4bytes (LP: #1846232)
* d/p/lp1671951-
- set ipv6 mtu at correct time (LP: #1671951)
* d/p/lp1845909/
d/p/
d/p/
d/p/
d/p/
- drop foreign config and raise interface after setting genmode
(LP: #1845909)
* d/t/storage: without scsi_debug, skip test (LP: #1847816)
-- Dan Streetman <email address hidden> Thu, 06 Feb 2020 09:45:57 -0500
Changed in systemd (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #32 |
This bug was fixed in the package systemd - 237-3ubuntu10.39
---------------
systemd (237-3ubuntu10.39) bionic; urgency=medium
[ Dariusz Gadomski ]
* d/p/lp1762391/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
- Restore call to pam_setcred (LP: #1762391)
[ Ioanna Alifieraki ]
* d/p/lp1860548/
d/p/
- use snprintf instead of xsprintf (LP: #1860548)
[ Dan Streetman ]
* d/p/lp1833193-
- Update lft when static addr was cfg by dhcp (LP: #1833193)
* d/p/lp1849261/
d/p/
- Only trigger OnFailure= if Restart= is not in effect (LP: #1849261)
* d/p/lp1671951-
- set ipv6 mtu at correct time (LP: #1671951)
* d/p/lp1845909/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
d/p/
- if LinkLocalAddres
* d/p/lp1859862-
- enable ipv6 when needed (LP: #1859862)
* d/p/lp1836695-
- (re)add static routes after getting dhcp4 addr (LP: #1836695)
* d/t/storage:
- fix buggy test (LP: #1831459)
- without scsi_debug, skip test (LP: #1847816)
-- Dan Streetman <email address hidden> Thu, 06 Feb 2020 10:00:49 -0500
Changed in systemd (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Dan Streetman (ddstreet) wrote : | #33 |
upstream systemd issue is https:/
As launchpad was failing to sync the status of the upstream issue, I just marked it manually as fix released.
Changed in systemd: | |
importance: | Unknown → Undecided |
status: | New → Fix Released |
I am also using this feature and all previous versions of Ubuntu worked fine with this configuration. However with Bionic the GDM logins no longer add these local groups. Only no graphical logins like su, sudo, ssh, etc... add the appropriate local groups as per the /etc/security/ group.conf.
This is a very important feature for us to be able to use Ubuntu with LDAP authentication in our computer labs for students and professors.