touch-packages team mailing list archive

Thread
Date
[Bug 1281700] Re: policykit-1 is not aware of groups assigned by pam_group

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tom De Sloovere <1281700@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Oct 2015 12:27:27 -0000
Reply-to: Bug 1281700 <1281700@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Same problem here in an openldap environment with ubuntu 14.04.3
workstations. We have this issue with adding certain openldap groups to
the local sudo group.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1281700

Title:
  policykit-1 is not aware of groups assigned by pam_group

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  I'm using pam_group for my ldap users so that they get assigned default ubuntu groups:
  $ tail -n2 /etc/security/group.conf

  # add LDAP users to these default groups, but don't give them admin rights.
  "*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse"

  These additional group IDs are assigned correctly:

  $ id
  uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

  Based on these additional groups, I'm trying to give certain user
  groups the necessary permissions to execute program, using
  policykit-1. Unfortunately, policykit does seem to only 'see' / 'be
  aware' of the primary group that the user belongs to (and not those
  additional groups that are assigend via /etc/security/group.conf).

  This works (users can start the program):
  [AllowUsertoDoSomething]
  Identity=unix-group:ldapgroup

  This doesn't work (users are asked to provide the administrator password):
  [AllowUsertoDoSomething]
  Identity=unix-group:plugdev

  I suspect that this has something to do with the fact that 'id' does
  return conflicting information about groups:

  # call id without username, returns all groups, including the ones defined in /etc/security/group.conf
  $ id
  uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse)

  # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing.
  $ id myusername
  uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup)

  My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups.
  I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line)

  This is Ubuntu 12.04.3 with all latest updates. Any help and
  suggestions are appreciated.

  $ lsb_release -rd
  Description:	Ubuntu 12.04.3 LTS
  Release:	12.04

  $ apt-cache policy policykit-1
  policykit-1:
    Installed: 0.104-1ubuntu1.1
    Candidate: 0.104-1ubuntu1.1
  ---
  ApportVersion: 2.0.1-0ubuntu17.4
  Architecture: amd64
  DistroRelease: Ubuntu 12.04
  MarkForUpload: True
  NonfreeKernelModules: nvidia
  Package: policykit-1 0.104-1ubuntu1.1
  PackageArchitecture: amd64
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21
  Tags:  precise
  Uname: Linux 3.5.0-41-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1281700/+subscriptions