Ubuntu
policykit-1 package

Bug #1281700
Comment #0

Comment 0 for bug 1281700

Revision history for this message

Andreas (andreas-kotowicz) wrote on 2014-02-18: policykit-1 does not "see" groups assigned by pam_group

I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf

# add LDAP users to these groups by default, don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"

These additional group IDs are assigned correctly:

$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'know' about the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf).

This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup

This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev

I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:

# call id without username, returns all groups, including the ones defined in /etc/security/group.conf
$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)

My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)

This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.

$ lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04

$ apt-cache policy policykit-1
policykit-1:
Installed: 0.104-1ubuntu1.1
Candidate: 0.104-1ubuntu1.1

I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
$ tail -n2 /etc/security/group.conf

# add LDAP users to these groups by default, don't give them admin rights.
"*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"

These additional group IDs are assigned correctly:

$ id
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

This works (users can start the program):
[AllowUsertoDoSomething]
Identity=unix-group:ldapgroup

This doesn't work (users are asked to provide the administrator password):
[AllowUsertoDoSomething]
Identity=unix-group:plugdev

I suspect that this has something to do with the fact that 'id' does return conflicting information about groups:

# call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. 
$ id myusername
uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)

My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. 
I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)

This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated.

$ lsb_release -rd
Description:	Ubuntu 12.04.3 LTS
Release:	12.04

$ apt-cache policy policykit-1
policykit-1:
  Installed: 0.104-1ubuntu1.1
  Candidate: 0.104-1ubuntu1.1

Ubuntupolicykit-1 package

Comment 0 for bug 1281700

Ubuntu
policykit-1 package