pam_group does not support NSS groups

Bug #297408 reported by Edward Murrell on 2008-11-12
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: libpam-modules

The pam_group module allows assigning groups based on group membership. This is handy, if for example you want to automagically enable various rights on a specific server dependant on a users membership in a given netgroup. The following line in /etc/security/group.conf makes a user part of the admin group on the machine if they are part of the net group developers.

*;*;@developers;Al0000-2400;admin

Unfortunately, this only works for NIS net groups. This isn't much help if your network groups are held in LDAP, which are recognized as normal NSS groups.

Patch is attached which fixes this. NSS groups are recognized by '%'. Ie;

*;*;%someldapgroup;Al0000-2400;admin

Mark A. Ziesemer (ziesemer) wrote :

Any chance for Edward's patch to be included in a release? Otherwise, what is the best way for me to apply this patch myself to my own systems? Or is there a better / alternative solution for the same requirement? Thanks!

Mark A. Ziesemer (ziesemer) wrote :

After some trial and error, I was able to download the PAM sources, patch, and compile. However, now I'm a little confused as to the supported syntax of this patch. I.E., what is the LDAP query used to determine if a user is a member of an "NSS group" or not? Does it only support a user's gidNumber attribute - meaning that it would only work for a user's primary group? Or would it support the groupOfNames objectClass, and possibly the memberof overlay under OpenLDAP? Thanks!!

Edward Murrell (edward-murrell) wrote :

The patch itself doesn't support LDAP directly, but through the NSS library, so the query will be determined by the configuration of if libnss-ldap or libnss-ldapd packages.

So, to answer your query, it only supports POSIX/unix groups that it is a member. In most circumstances this will be where memberUid includes the username in question.

The primary group is a good point, I may have to update the patch to include that. (Coffee is needed first)

Allowing automatic addition to local groups based on groupOfNames would not necessarily be a bad thing, though that functionality would belong in libnss-ldap[d] or libpam-ldap.

Mark A. Ziesemer (ziesemer) wrote :

I'm having difficulty getting this to work even in a basic case. I built and patched the PAM modules (pam-1.1.1), and copied the resulting pam-1.1.1/modules/pam_group/.libs/pam_group.so to /lib/security . Even after a reboot (if even necessary?), rules in /etc/security/group.conf continue to work as long as they don't reference LDAP groups. However, I can't get LDAP groups to work. I don't see any errors or warnings in /var/log/auth.log . What else can I do to debug?

I'm testing on a VM of Lucid 10.04 beta 2.

Here is a test group and user I setup in OpenLDAP:

dn: cn=testPAMGroup,ou=groups,dc=test,dc=ziesemer,dc=com
cn: testPAMGroup
gidnumber: 2001
memberuid: mark-test
objectclass: posixGroup
objectclass: top

dn: cn=mark-test,ou=people,dc=test,dc=ziesemer,dc=com
cn: mark-test
gidnumber: 2000
givenname: Mark
homedirectory: /home/users/mark-test
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Ziesemer
uid: mark-test
uidnumber: 10003

Line added to /etc/security/group.conf :

*; *; %testPAMGroup; Al0000-2400; cdrom, audio, video

Test:

$ sudo su - mark-test
No directory, logging in with HOME=/
$ id
uid=10003(mark-test) gid=2000(users) groups=2000(users),2001(testPAMGroup)

Note that the session doesn't have any of the additional groups, e.g. cdrom.

If I replace the line in group.conf to :

*; *; mark-test; Al0000-2400; cdrom, audio, video

$ sudo su - mark-test
No directory, logging in with HOME=/
$ id
uid=10003(mark-test) gid=2000(users) groups=24(cdrom),29(audio),44(video),2000(users),2001(testPAMGroup)

summary: - pam_group does support NSS groups
+ pam_group does not support NSS groups
Mark A. Ziesemer (ziesemer) wrote :

Thanks to Edward for a note concerning the use of whitespace. It is now working for me, as long as there is no space padded around the LDAP group. I.E., ...;%testPAMGroup;... works, but ...; %testPAMGroup;... doesn't.

Testing with "sudo login" then works by default. Usage under "sudo su - mark-test" only works if "auth optional pam_group.so" is added to the top of /etc/pam.d/su (before pam_rootok.so). Similar edits are needed to support SSH logins, etc. (Is there a better place to add this, such as into common-auth - while considering the required placement in su before pam_rootok.so?)

jwm (jwm-angrymonkey) wrote :

As a netgroup user I note that @netgroup can't include any white space between the semicolons, either. The documentation's use of white space in the second field is a bit misleading, perhaps.

common-auth looks like a good place to put pam_group, ideally under the control of pam-auth-update.

(Also, I like the patch, as I'm migrating NIS installations to LDAP and would rather not try to replicate netgroups in LDAP if I can use conventional groups.)

Mark A. Ziesemer (ziesemer) wrote :

What are the next steps necessary to have this patch included into a future release?

annunaki2k2 (russell-knighton) wrote :

Is there a chance this can be back-ported/included in a package for Lucid?

We have just switched from NIS to LDAP and hit this problem. I have tested the patch and rolled it out on all our servers/desktops and can confirm that it works just fine.

I really need to have a chat to the PAM maintainers about having this implemented in mainline pam. In any case, the patch at the top compiles cleanly with 10.4 packages. I've built a bunch of packages, which are listed below - only the first one should actually matter;

http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam-modules_1.1.1-2ubuntu5-ekm1_i386.deb

http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam0g_1.1.1-2ubuntu5-ekm1_i386.deb
http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam0g-dev_1.1.1-2ubuntu5-ekm1_i386.deb
http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam-cracklib_1.1.1-2ubuntu5-ekm1_i386.deb
http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam-doc_1.1.1-2ubuntu5-ekm1_all.deb
http://tin.murrell.co.nz/~edward/pam/ubuntu/10.4/libpam-runtime_1.1.1-2ubuntu5-ekm1_all.deb

NOTE: Other than some very basic checking to make sure it works as advertised and doesn't immediately explode on usage , I have done exactly zero testing of the above packages. If you are using these in a production environment, please test them properly before rolling out.

The patch was rolled up into Pam 1.1.2 as per the link below. Credit would have been nice though. :(

http://sourceforge.net/mailarchive/forum.php?thread_name=1280924965.5791.770.camel%40vespa.frost.loc&forum_name=pam-patches

Changed in pam (Ubuntu):
status: New → Fix Released
Steve Langasek (vorlon) wrote :

Huh? pam 1.1.2 isn't in Ubuntu yet...

Changed in pam (Ubuntu):
status: Fix Released → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (3.7 KiB)

This bug was fixed in the package pam - 1.1.2-2ubuntu1

---------------
pam (1.1.2-2ubuntu1) natty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)

pam (1.1.2-2) unstable; urgency=low

  * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
    setfsuid in pam_xauth that I overlooked, so that the build works again
    on non-Linux. Closes: #613630.

pam (1.1.2-1) unstable; urgency=low

  * New upstream release.
    - Add support for NSS groups to pam_group. Closes: #589019,
      LP: #297408.
    - Support cross-building the package. Thanks to Neil Williams
      <email address hidden> for the patch. Closes: #284854.
  * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit
    interface. Closes: #579402.
  * Drop patches conditional_module,_conditional_man and
    mkhomedir_linking.patch, which are included upstream.
  * debian/patches/hurd_no_setfsuid: pam_env and pam_mail now also use
    setfsuid, so patch them to be likewise Hurd-safe.
  * Update debian/source.lintian-overrides to clean up some spurious
    warnings.
  * debian/libpam-modules.postinst: if any 'min=n' options are found in
    /etc/pam.d/common-password, convert them on upgrade to 'minlen=n' for
    compatibility with upstream.
  * debian/NEWS: document the disappearance of 'min=n', in case users have
    encoded this option elsewhere outside of /etc/pam.d/common-password.
  * debian/patches/007_modules_pam_unix: drop compatibility handling of
    'max=' no-op; use of this option will now log an error, as warned three
    years ago.
  * Bump Standards-Version to 3.9.1.
  * Add lintian overrides for a few more spurious warnings.
  * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for
    compatibility when it's not already set. Closes: #552043.
  * debian/local/pam-auth-update: Don't try to pass embedded newlines to
    debconf; backslash-escape them instead and use CAPB escape.
  * debian/local/pam-auth-update: sort additional module options before
    writing them out, so that we don't wind up with a different config file
    on every invocation. Thanks to Jim Paris <email address hidden> for the patch.
    Closes: #594123.
  * debian/libpam-runtime.{postinst,temp...

Read more...

Changed in pam (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers