From owner-freebsd-stable@FreeBSD.ORG Tue Aug 21 20:18:12 2007 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 408EA16A419 for ; Tue, 21 Aug 2007 20:18:12 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id AB3EF13C45E for ; Tue, 21 Aug 2007 20:18:11 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so1857935mue for ; Tue, 21 Aug 2007 13:18:10 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:received:date:from:to:subject:message-id:mail-followup-to:mime-version:content-type:content-disposition:user-agent; b=LNZ9c13YcNs+SwELFF+Gr7zzSRrnDEv51xsrxwZ442bPkfvwHQKHBtOgCzY18i8s7L4oHDHLxSRrhMsy0EZGYYgIQ5FNFhvnY6LuDp3t9eRqe0f809cKG9wsfFOxRGpfZutwEbfhe3WjaWK82/Nvd7Gn8nfSbRjADR1QoGYNSM8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:subject:message-id:mail-followup-to:mime-version:content-type:content-disposition:user-agent; b=N1kWVOWhvoh5igijRYdFrdGU7excWov8F45EOt7RsEqitzHzGFFKx1HVhO1htisNcLwpfAVk2P309W4OB21kOknyY7rfk2WWVhi6H0htWJExH7DYFJXU9MiuncMO1uDixBK8kcRexknYGEkWEyqww7KlBrvNcQiMrKq7FWaDkxI= Received: by 10.82.111.8 with SMTP id j8mr11156121buc.1187725849549; Tue, 21 Aug 2007 12:50:49 -0700 (PDT) Received: from roadrunner.spoerlein.net ( [85.180.178.208]) by mx.google.com with ESMTPS id g1sm25145053muf.2007.08.21.12.50.47 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Aug 2007 12:50:48 -0700 (PDT) Received: from roadrunner.spoerlein.net (localhost [127.0.0.1]) by roadrunner.spoerlein.net (8.14.1/8.14.1) with ESMTP id l7LJoiYE003710 for ; Tue, 21 Aug 2007 21:50:44 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Received: (from q@localhost) by roadrunner.spoerlein.net (8.14.1/8.14.1/Submit) id l7LJoh7C003709 for stable@freebsd.org; Tue, 21 Aug 2007 21:50:43 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Date: Tue, 21 Aug 2007 21:50:43 +0200 From: Ulrich Spoerlein To: stable@freebsd.org Message-ID: <20070821195043.GA1464@roadrunner.spoerlein.net> Mail-Followup-To: stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Subject: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2007 20:18:12 -0000 Hi, I think I found a deficiency wrt. to pam_group (which also hits sudo(8) so this might be libc related instead). I found this while trying to migrate groups into LDAP, but you don't need LDAP to reproduce this, simply place the following in /etc/group wheel:*:0:root wheel:*:0:us % getent group|grep wheel;id wheel:*:0:root wheel:*:0:us uid=1001(us) gid=1000(us) groups=1000(us),0(wheel),80(www) As you can see, getent(1) and id(1) work fine. File access also works like expected, except for su(8) (because of pam_group group=wheel in pam.d/su) % su - su: Sorry Combine the wheel entries back into one line and su(8) suddenly starts working again. Same problem hits sudo(8) if your are using a %wheel line. Since there is no pam.d/sudo on my system I think the bug probably lies in libc itself. Is this expected behaviour? I'd classify it as bug ... Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt.