Date: Wed, 22 Aug 2007 09:44:14 +1000 From: "Scott, Brian" <Brian.Scott@det.nsw.edu.au> To: "Ulrich Spoerlein" <uspoerlein@gmail.com>, <stable@freebsd.org> Subject: RE: pam_group vs. multiple group lines Message-ID: <93F091C9B5CFAF409180B07728D682E9EBEAF6@ALF6.riverina.det.win> In-Reply-To: <20070821195043.GA1464@roadrunner.spoerlein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Try: wheel:*:0:root,us It looks like pam was stopping at the first matching line as you would expect from the man page for the group file. If there is a bug it is in the more liberal interpretation by other software. -----Original Message----- From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freebsd.org] On Behalf Of Ulrich Spoerlein Sent: Wednesday, 22 August 2007 5:51 AM To: stable@freebsd.org Subject: pam_group vs. multiple group lines Hi, I think I found a deficiency wrt. to pam_group (which also hits sudo(8) so this might be libc related instead). I found this while trying to migrate groups into LDAP, but you don't need LDAP to reproduce this, simply place the following in /etc/group wheel:*:0:root wheel:*:0:us % getent group|grep wheel;id wheel:*:0:root wheel:*:0:us uid=3D1001(us) gid=3D1000(us) groups=3D1000(us),0(wheel),80(www) As you can see, getent(1) and id(1) work fine. File access also works like expected, except for su(8) (because of pam_group group=3Dwheel in pam.d/su) % su - su: Sorry Combine the wheel entries back into one line and su(8) suddenly starts working again. Same problem hits sudo(8) if your are using a %wheel line. Since there is no pam.d/sudo on my system I think the bug probably lies in libc itself. Is this expected behaviour? I'd classify it as bug ... Cheers, Ulrich Spoerlein --=20 It is better to remain silent and be thought a fool, than to speak, and remove all doubt. _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **********************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?93F091C9B5CFAF409180B07728D682E9EBEAF6>