Bug#501807: marked as done (userdb does not handle dynamically assigned groups)

Mon, 13 May 2019 08:03:39 -0700 

Your message dated Mon, 13 May 2019 15:59:13 +0100
with message-id <[email protected]>
and subject line Re: Bug#501807: hal: does not work with dynamically assigned 
secondary groups
has caused the Debian Bug report #501807,
regarding userdb does not handle dynamically assigned groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
501807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501807
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Subject: hal: does not work with dynamically assigned secondary groups
Package: hal
Version: 0.5.11-4
Severity: normal

There seems to be a regression (this worked before) in the way at least
the plugdev group is interpreted by hal. I have a setup where users who
log in on the console are provided with extra groups like so:

  - add "auth optional pam_group.so" to /etc/pam.d/gdm 
  - add "gdm; :*; *; Al0000-2400; 
audio,floppy,video,cdrom,scanner,plugdev,voice"
    to /etc/security/group.conf

This causes the named groups to be assigned when the user logs in
through gdm (the second command does username/group lookups, the fist
one gets the groups from the process):
% id -a 
uid=1000(arthur) gid=100(users) 
groups=22(voice),24(cdrom),25(floppy),29(audio),40(src),44(video),46(plugdev),100(users),112(scanner)
% id -a arthur
uid=1000(arthur) gid=100(users) groups=40(src),46(plugdev),100(users)

One this setup users are set up in an LDAP server. The plugdev group is
not in LDAP because it is a system group so there is no central way to
add the user to that group. Adding all users to the plugdev group on all
systems is not really an option (this would be a lot of work when adding
or removing users).

This setup worked before but now I have to add the user to the plugdev
group in /etc/group for it to work, otherwise gnome-mount fails with
this error message: 

% gnome-mount --hal-udi=/org/freedesktop/Hal/devices/volume_label_MyCD --text 
--verbose
gnome-mount 0.7
** (gnome-mount:19399): DEBUG: Mounting 
/org/freedesktop/Hal/devices/volume_label_MyCD
** (gnome-mount:19399): DEBUG: read default option 'uid=' from gconf strlist 
key /system/storage/default_options/iso9660/mount_options
** (gnome-mount:19399): DEBUG: Mounting 
/org/freedesktop/Hal/devices/volume_label_MyCD with mount_point='MyCD', 
fstype='', num_options=1
** (gnome-mount:19399): DEBUG:   option='uid=1000'
** (gnome-mount:19399): WARNING **: Mount failed for 
/org/freedesktop/Hal/devices/volume_label_MyCD
org.freedesktop.DBus.Error.AccessDenied : A security policy in place prevents 
this sender from sending this message to this recipient, see message bus 
configuration file (rejected message had interface 
"org.freedesktop.Hal.Device.Volume" member "Mount" error name "(unset)" 
destination "org.freedesktop.Hal")

What is the best way to give users who log in through gdm the proper
access rights to mount filesystems?

[after some more searching]

In /etc/dbus-1/system.d/hal.conf there is a reference to an at_console
policy. Installing the consolekit package seems to get everything
working.

There may be two issues here. The first is that hal does not pick up the
runtime secondary groups any more.
The seconds is probably more a documentation issue. It took me a lot of
googling, grepping, running daemons in debugging mode, looking in XML
configuration files and reverse dependencies before I got at consolekit,
policykit and finally policykit-gnome which is probably the package I
want. Some shortcuts would be helpful here (some package could recommend
policykit-gnome or a helpful note in a README.Debian). Not sure which
package should do that though.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages hal depends on:
ii  adduser                      3.110       add and remove users and groups
ii  dbus                         1.2.1-3     simple interprocess messaging syst
ii  hal-info                     20081001-1  Hardware Abstraction Layer - fdi f
ii  libc6                        2.7-14      GNU C Library: Shared libraries
ii  libdbus-1-3                  1.2.1-3     simple interprocess messaging syst
ii  libdbus-glib-1-2             0.76-1      simple interprocess messaging syst
ii  libexpat1                    2.0.1-4     XML parsing C library - runtime li
ii  libgcc1                      1:4.3.2-1   GCC support library
ii  libglib2.0-0                 2.16.6-1    The GLib library of C routines
ii  libhal-storage1              0.5.11-4    Hardware Abstraction Layer - share
ii  libhal1                      0.5.11-4    Hardware Abstraction Layer - share
ii  libsmbios1                   0.13.13-1   Provide access to (SM)BIOS informa
ii  libstdc++6                   4.3.2-1     The GNU Standard C++ Library v3
ii  libusb-0.1-4                 2:0.1.12-13 userspace USB programming library
ii  libvolume-id0                0.125-7     libvolume_id shared library
ii  lsb-base                     3.2-20      Linux Standard Base 3.2 init scrip
ii  mount                        2.13.1.1-1  Tools for mounting and manipulatin
ii  pciutils                     1:3.0.0-6   Linux PCI Utilities
ii  pm-utils                     1.1.2.4-1   utilities and scripts for power ma
ii  udev                         0.125-7     /dev/ and hotplug management daemo
ii  usbutils                     0.73-10     Linux USB utilities

Versions of packages hal recommends:
ii  eject                       2.1.5+deb1-4 ejects CDs and operates CD-Changer
pn  libsmbios-bin               <none>       (no description available)

Versions of packages hal suggests:
pn  gnome-device-manager          <none>     (no description available)

-- no debconf information

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Version: 1.13.4

On Fri, 24 Oct 2008 at 02:42:39 +0200, Michael Biebl wrote:
> Afaik, dynamically assigned groups never worked with dbus.

This wasn't possible to implement in a secure way until several years
after this bug report (see upstream bug
<https://bugs.freedesktop.org/show_bug.cgi?id=9328>).

Linux kernels >= 4.13 implement a new SO_PEERGROUPS socket option that
can finally be used to implement this feature securely, and
dbus >= 1.13.4 (currently only in experimental, but likely to be in the
Debian 11 stable release in about 2 years) makes use of it.

    smcv

--- End Message ---

Reply via email to