** Summary changed: - policykit-1 does not "see" groups assigned by pam_group + policykit-1 is not aware of groups assigned by pam_group
** Description changed: - I'm using pam_group for my ldap users so that they get assigned default ubuntu groups: $ tail -n2 /etc/security/group.conf - # add LDAP users to these groups by default, don't give them admin rights. + # add LDAP users to these default groups, but don't give them admin rights. "*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse" These additional group IDs are assigned correctly: $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. - Unfortunately, policykit does seem to only 'see' / 'know' about the + Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf). This works (users can start the program): [AllowUsertoDoSomething] Identity=unix-group:ldapgroup This doesn't work (users are asked to provide the administrator password): [AllowUsertoDoSomething] Identity=unix-group:plugdev I suspect that this has something to do with the fact that 'id' does return conflicting information about groups: # call id without username, returns all groups, including the ones defined in /etc/security/group.conf $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) - # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. + # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. $ id myusername uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup) - My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. + My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line) This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated. $ lsb_release -rd Description: Ubuntu 12.04.3 LTS Release: 12.04 $ apt-cache policy policykit-1 policykit-1: - Installed: 0.104-1ubuntu1.1 - Candidate: 0.104-1ubuntu1.1 - --- + Installed: 0.104-1ubuntu1.1 + Candidate: 0.104-1ubuntu1.1 + --- ApportVersion: 2.0.1-0ubuntu17.4 Architecture: amd64 DistroRelease: Ubuntu 12.04 MarkForUpload: True NonfreeKernelModules: nvidia Package: policykit-1 0.104-1ubuntu1.1 PackageArchitecture: amd64 ProcEnviron: - LANGUAGE=en_US:en - TERM=xterm - PATH=(custom, no user) - LANG=en_US.UTF-8 - SHELL=/bin/bash + LANGUAGE=en_US:en + TERM=xterm + PATH=(custom, no user) + LANG=en_US.UTF-8 + SHELL=/bin/bash ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21 Tags: precise Uname: Linux 3.5.0-41-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1281700 Title: policykit-1 is not aware of groups assigned by pam_group Status in “policykit-1” package in Ubuntu: New Bug description: I'm using pam_group for my ldap users so that they get assigned default ubuntu groups: $ tail -n2 /etc/security/group.conf # add LDAP users to these default groups, but don't give them admin rights. "*;*;*;Al0000-2400;audio,video,cdrom,plugdev,fuse" These additional group IDs are assigned correctly: $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) Based on these additional groups, I'm trying to give certain user groups the necessary permissions to execute program, using policykit-1. Unfortunately, policykit does seem to only 'see' / 'be aware' of the primary group that the user belongs to (and not those additional groups that are assigend via /etc/security/group.conf). This works (users can start the program): [AllowUsertoDoSomething] Identity=unix-group:ldapgroup This doesn't work (users are asked to provide the administrator password): [AllowUsertoDoSomething] Identity=unix-group:plugdev I suspect that this has something to do with the fact that 'id' does return conflicting information about groups: # call id without username, returns all groups, including the ones defined in /etc/security/group.conf $ id uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup),24(cdrom),29(audio),44(video),46(plugdev),104(fuse) # call id with username, only ldap groups are returned, the ones defined in /etc/security/group.conf are missing. $ id myusername uid=6007(myusername) gid=6000(ldapgroup) groups=6000(ldapgroup) My suspicion is that policykit-1 is calling "id user" (or a similar command) and "sees" only the main ldap groups. I did not expect this behavior, because /etc/pam.d/polkit-1 does include /etc/pam.d/common-auth (which includes the "auth optional pam_group.so" line) This is Ubuntu 12.04.3 with all latest updates. Any help and suggestions are appreciated. $ lsb_release -rd Description: Ubuntu 12.04.3 LTS Release: 12.04 $ apt-cache policy policykit-1 policykit-1: Installed: 0.104-1ubuntu1.1 Candidate: 0.104-1ubuntu1.1 --- ApportVersion: 2.0.1-0ubuntu17.4 Architecture: amd64 DistroRelease: Ubuntu 12.04 MarkForUpload: True NonfreeKernelModules: nvidia Package: policykit-1 0.104-1ubuntu1.1 PackageArchitecture: amd64 ProcEnviron: LANGUAGE=en_US:en TERM=xterm PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 3.5.0-41.64~precise1-generic 3.5.7.21 Tags: precise Uname: Linux 3.5.0-41-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1281700/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
