From owner-freebsd-security@FreeBSD.ORG Tue May 31 08:12:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FDD31065673 for ; Tue, 31 May 2011 08:12:40 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id E51888FC12 for ; Tue, 31 May 2011 08:12:39 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:d929:8867:6867:1b37]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 941554AC1C for ; Tue, 31 May 2011 12:12:37 +0400 (MSD) Date: Tue, 31 May 2011 12:12:35 +0400 From: Lev Serebryakov Organization: FreeBSD Project X-Priority: 3 (Normal) Message-ID: <616706222.20110531121235@serebryakov.spb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: pam_ldap + nss_ldap, su(1), group wheel and pam_group X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2011 08:12:40 -0000 Hello, Freebsd-security. What is proper way to mix pam_ldap/nss_ldap (no users but root in local files), su(1) and check for group `wheel'? "files" source should have precedence over "ldap" in /etc/nsswitch.conf, for changing user/group by daemons before full network configuration, and for local "root" has priority over any LDAP ones. Group `wheel' should be in /etc/group, because it seems, that it should be available in any conditions. But result of this is conflict, when id(1) shows that user is included into group `wheel' (on LDAP), because `id' uses getgroups(2), but su(1) refuses user, because it uses getgrnam(3), which found group "wheel" in /etc/grousp, where user doesn't belong to group "wheel" :( Is here any `standard' solution to this problem? I know about sudo(8), but I affraid, that this inconsistency could bite somewhere else, and in any case, I want su(1) to work :) Is here any reasons why pam_group(8) is inconsistent with id(1) in way to determine ti which groups user belongs? --=20 // Black Lion AKA Lev Serebryakov