[Bug 1762391] Re: pam_group.so is not evaluated by gnome-terminal
Dariusz Gadomski
1762391 at bugs.launchpad.net
Mon Feb 10 10:21:15 UTC 2020
Similarly for bionic using version 237-3ubuntu10.39 verification was
also successsful:
ubuntu at bionic:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin sambashare vboxsf
** Tags removed: verification-needed verification-needed-bionic verification-needed-eoan
** Tags added: verification-done verification-done-bionic verification-done-eoan
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1762391
Title:
pam_group.so is not evaluated by gnome-terminal
Status in systemd:
New
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Xenial:
Won't Fix
Status in systemd source package in Bionic:
Fix Committed
Status in systemd source package in Cosmic:
Won't Fix
Status in systemd source package in Eoan:
Fix Committed
Status in systemd source package in Focal:
Fix Released
Bug description:
[Impact]
pam_setcred call was missing in systemd making its implementation of the PAM protocol incomplete. It could manifest in different ways, but one particularly problematic for enterprise environments was the fact that
processes were never getting group membership they were expected to get via pam_group module.
[Test Case]
* Add a /etc/security/group.conf entry, e.g.
*;*;*;Al0000-2400;dialout,users
* Add pam_group to your PAM stack, e.g. /etc/pam.d/common-auth
* Login to the system and launch gnome-terminal (it will be launched via gnome-terminal-server launched by systemd --user + dbus).
Expected result:
Logged in user is a member of 'dialout' and 'users' groups.
Actual result:
no group membership gained from pam_group.
[Regression Potential]
* It introduces a new PAM warning message in some scenarios (e.g. for
systemd DynamicUser=1 units) for users that can't authenticate
(pam_setcred fails in such case).
* In certain systems user group membership may be extended by
pam_group.
[Other Info]
Original bug description:
We are using Ubuntu in a university network with lots of ldap users.
To automatically map ldap users/groups to local groups we are using
pam_group.so. This has worked for years.
With the upgrade from Xenial to Bionic /etc/security/group.conf is not
evaluated anymore by gnome-terminal as it runs as systemd --user.
Xterm, ssh, su, and tty* however do work as expected. Only the default
gnome-terminal behaves different.
According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851243
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756458 this
might not be a bug, but a feature.
Nevertheless this behavior is very unexpected when upgrading from
Xenial to Bionic and therefore should at least added to the changelog.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnome-terminal 3.28.0-1ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-10.11-generic 4.15.3
Uname: Linux 4.15.0-10-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 9 13:17:52 2018
InstallationDate: Installed on 2018-03-29 (11 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180321)
SourcePackage: gnome-terminal
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1762391/+subscriptions
More information about the Ubuntu-sponsors
mailing list