Bug 52371 - pam_group component doesn't work (and possibly others)
Summary: pam_group component doesn't work (and possibly others)
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gdm   
(Show other bugs)
Version: 7.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Havoc Pennington
QA Contact: Aaron Brown
Depends On:
TreeView+ depends on / blocked
Reported: 2001-08-23 07:59 UTC by George Lebl
Modified: 2007-04-18 16:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-10 20:33:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to fix a pam setcred bug in gdm (5.03 KB, patch)
2001-08-23 08:03 UTC, George Lebl
no flags Details | Diff

Description George Lebl 2001-08-23 07:59:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux alpha; en-US; rv:0.9.2) Gecko/20010809

Description of problem:
Since the pam_setcred is called before the initgroups call, setting
supplementary groups with pam_group will thus not work of course since
the groups are then wiped later.  It could be that other credentials are
also not set correctly because of this, another (but minor) issue is that
pam_open_session was called before setcred, rather then after as is
recommended by the pam docs.  This bug applies to all gdm versions that I
know of and thus all versions of redhat that use gdm.  A fix is in the
current CVS version and will be in the next release.  In the meantime I
have attached a patch against which is the version redhat seems to
be using currently. Not sure how critical this is, since essentially no gdm
version got it right previously and pam_group is not that useful, however,
other modules that grant certain credentials could be effected
by this as well.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use pam_group
2. log in with gdm

Actual Results:  No supplemental group memberships given by pam_group. 
Only those listed in /etc/groups are given by initgroups

Expected Results:  have both /etc/groups and pam_group setups be in effect

Additional info:

Comment 1 George Lebl 2001-08-23 08:03:55 UTC
Created attachment 29134 [details]
Patch to fix a pam setcred bug in gdm

Comment 2 Havoc Pennington 2002-01-10 16:16:56 UTC
Nalin when I get to work I plan to ask you to explain what George is talking
about ;-)

Comment 3 George Lebl 2002-01-10 20:33:34 UTC
Well, all that stuff changed recently anyway.  I think it's best to just upgrade
to which I think does pam correctly.

Comment 4 Havoc Pennington 2002-02-12 00:01:00 UTC
OK, rawhide has new gdm

Note You need to log in before you can comment on or make changes to this bug.