| 2014-02-18 17:49:11 |
Andreas |
bug |
|
|
added bug |
| 2014-02-18 17:57:24 |
Andreas |
tags |
|
apport-collected precise |
|
| 2014-02-18 17:57:25 |
Andreas |
description |
I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf
# add LDAP users to these groups by default, don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"
These additional group IDs are assigned correctly:
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'know' about the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).
This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup
This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev
I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:
# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)
My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)
This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.
$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1 |
I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf
# add LDAP users to these groups by default, don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"
These additional group IDs are assigned correctly:
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'know' about the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).
This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup
This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev
I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:
# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)
My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)
This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.
$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1
---
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
DistroRelease: Ubuntu 12.04
MarkForUpload: True
NonfreeKernelModules: nvidia
Package: policykit-1 0.104-1ubuntu1.1
PackageArchitecture: amd64
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21
Tags: precise
Uname: Linux 3.5.0-41-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: |
|
| 2014-02-18 17:57:26 |
Andreas |
attachment added |
|
Dependencies.txt https://bugs.launchpad.net/bugs/1281700/+attachment/3985595/+files/Dependencies.txt |
|
| 2014-02-19 08:33:18 |
Andreas |
summary |
policykit-1 does not "see" groups assigned by pam_group |
policykit-1 is not aware of groups assigned by pam_group |
|
| 2014-02-19 08:34:55 |
Andreas |
description |
I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf
# add LDAP users to these groups by default, don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"
These additional group IDs are assigned correctly:
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'know' about the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).
This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup
This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev
I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:
# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)
My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)
This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.
$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1
---
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
DistroRelease: Ubuntu 12.04
MarkForUpload: True
NonfreeKernelModules: nvidia
Package: policykit-1 0.104-1ubuntu1.1
PackageArchitecture: amd64
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21
Tags: precise
Uname: Linux 3.5.0-41-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: |
I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf
# add LDAP users to these default groups, but don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"
These additional group IDs are assigned correctly:
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).
This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup
This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev
I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:
# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)
# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)
My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)
This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.
$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04
$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1
---
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
DistroRelease: Ubuntu 12.04
MarkForUpload: True
NonfreeKernelModules: nvidia
Package: policykit-1 0.104-1ubuntu1.1
PackageArchitecture: amd64
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21
Tags: precise
Uname: Linux 3.5.0-41-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: |
|
| 2014-05-30 00:48:32 |
Launchpad Janitor |
policykit-1 (Ubuntu): status |
New |
Confirmed |
|
| 2014-06-26 13:22:28 |
bigbrovar |
bug |
|
|
added subscriber bigbrovar |
| 2015-03-26 11:41:13 |
mtemp |
bug |
|
|
added subscriber mtemp |
| 2015-10-19 07:20:32 |
Tom De Sloovere |
bug |
|
|
added subscriber Tom De Sloovere |
| 2016-01-12 13:50:12 |
PorkCharSui |
bug |
|
|
added subscriber PorkCharSui |
| 2016-04-18 07:47:27 |
Tim Connolly |
bug |
|
|
added subscriber Tim Connolly |
| 2019-03-04 08:25:17 |
Guillermo |
bug |
|
|
added subscriber Guillermo |
