pam_group (Was: ubuntu-xxx ....)

Matt Zimmerman mdz at
Thu Mar 31 14:38:41 CST 2005

On Thu, Mar 31, 2005 at 10:16:05PM +0200, Timo Aaltonen wrote:

> >Why is it a problem to add these users to the necessary groups?  That is
> >the simplest and most robust solution.
> Not if you have >20000 users.

Surely with that number of users, you have tools to make changes like this

> Besides, isn't it a security problem to have all users in all those groups
> that are desktop-specific? At least when ssh-connections are accepted...

What sort of security problem?  If the user should have these privileges
according to your security policy, they should be granted to them.

> More "elegant" solution is to tell gdm to use pam_group (as I already told 
> Adrian in a private mail):
> -add this line in /etc/pam.d/gdm:
> auth    optional
> -modify /etc/security/group.conf, for hoary-installation it could be 
> something like this (looking at my laptop and the groups I'm on):
> gdm;*;*;Al0000-2400;floppy,audio,cdrom,video,plugdev,scanner
> now, only the local user has access to the devices etc. Neat and tidy, huh? 
> ;)

It seems that way at first, but in fact the semantics are closer to "any
user who has ever logged in locally has access to these devices".  Pitfalls
like these are the reason why we don't "magically" grant permissions based
on dynamic criteria.  If the user should have access to the devices, they
should be granted, otherwise not.  The capability does not currently exist
to revoke these permissions from users once they have been granted.

 - mdz

More information about the ubuntu-devel mailing list