Red Hat Bugzilla – Bug 4298
pam_console does not reset group.
Last modified: 2008-05-01 11:37:51 EDT
When a user logins to the console they are given ownership of various device files. When they log back out the ownership is reverted back to what ever is specified in "/etc/security/console.perms". Howevcr while they own the file it is possible for them to change the group of the files and this isn't reverted. In the default configuration this isn't really a big risk becuase the specified modes don't grant any special rights to the group. Howerver, if a jax or zip drives are installed these the group is given read/write access. Obviously this would also cause problems if any of the configured permissions are changed from the default. I don't think this is serious but at it's certainly unexpected and unnessisary behaviour. Patch to allow a revert group to follow.
Yuck, you are right. I'm applying your patch, and extending the man pages and the default console.perms appropriately. Thanks for noticing this. Our next pam release will have this functionality and will include groups (where necessary) in the console.perms file. Your patch did an excellent job of following the style of the code you were modifying, by the way. :-)