Bug 52371

Summary: pam_group component doesn't work (and possibly others)
Product: [Retired] Red Hat Linux Reporter: George Lebl <jirka>
Component: gdmAssignee: Havoc Pennington <hp>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: nalin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-01-10 20:33:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix a pam setcred bug in gdm 2.2.3.1 none

Description George Lebl 2001-08-23 07:59:39 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux alpha; en-US; rv:0.9.2) Gecko/20010809

Description of problem:
Since the pam_setcred is called before the initgroups call, setting
supplementary groups with pam_group will thus not work of course since
the groups are then wiped later.  It could be that other credentials are
also not set correctly because of this, another (but minor) issue is that
pam_open_session was called before setcred, rather then after as is
recommended by the pam docs.  This bug applies to all gdm versions that I
know of and thus all versions of redhat that use gdm.  A fix is in the
current CVS version and will be in the next release.  In the meantime I
have attached a patch against 2.2.3.1 which is the version redhat seems to
be using currently. Not sure how critical this is, since essentially no gdm
version got it right previously and pam_group is not that useful, however,
other modules that grant certain credentials could be effected
by this as well.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. use pam_group
2. log in with gdm
3. 
	

Actual Results:  No supplemental group memberships given by pam_group. 
Only those listed in /etc/groups are given by initgroups

Expected Results:  have both /etc/groups and pam_group setups be in effect

Additional info:
Comment 1 George Lebl 2001-08-23 08:03:55 UTC 
Created attachment 29134 [details]
Patch to fix a pam setcred bug in gdm 2.2.3.1
Comment 2 Havoc Pennington 2002-01-10 16:16:56 UTC 
Nalin when I get to work I plan to ask you to explain what George is talking
about ;-)
Comment 3 George Lebl 2002-01-10 20:33:34 UTC 
Well, all that stuff changed recently anyway.  I think it's best to just upgrade
to 2.2.5.4 which I think does pam correctly.
Comment 4 Havoc Pennington 2002-02-12 00:01:00 UTC 
OK, rawhide has new gdm