Ubuntu
pam package

pam_group is not idempotent

Bug #624715 reported by jwm
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Triaged
Low
Unassigned

Bug Description

If pam_group appears twice in various pam.d files (eg added to common-auth and still present in login), it will add the user to those groups a second time.

Actually, the extent of the problem is worse than that ­— if the user is already a member of a group, they're still added a second time, indicating that no checking is done at all!

This is definitely a pain when using NFSv3, as it has a limit of 16 supplementary groups.

Revision history for this message
Steve Langasek (vorlon) wrote :

This is one of the many problems with the pam_group module that contribute to it not being recommended as a means of providing conditional access on login: it has been all but superseded by pam_consolekit for the standard use cases. So while I'm confirming this bug report, please understand that it is unlikely that the Ubuntu developers will work on fixing it.

Changed in pam (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
jwm (jwm-angrymonkey) wrote :

I've had a look at consolekit and can't figure out how to use it to do *anything* let alone substitute for pam_groups. The freedesktop.org webpage is basically it, and all it consists of is an aspirational introduction written in architecture astronaut speak, and a DBus API guide.

Unless I'm missing some sort of super secret /etc/security/* to consolekit migration guide.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.