pam_group is a historical curiosity. While we should continue to ship it
in pam for compatibility with existing configurations, there is no good
reason to use it in a new deployment, and we should not consider
incompatibility with pam_group to itself be a reason to change the
behavior of a pam application.
Static group memberships should be expressed through NSS, not through
pam_group, so that the system has a consistent view of the memberships.
This includes group memberships at large LDAP installations. You may
want to be using sssd for this.
pam_group's support for dynamic group assignments (time-of-day, etc) is
inherently flawed, because there is no support for runtime revocation of
group membership of Unix processes, and there is no associated service
to reap processes with out-of-policy group memberships. pam_group's
dynamic group assignments should be considered entirely superseded by
logind.
I believe the behavior of calling pam_setcred() from a pam application
that has not first called pam_authenticate() is undefined, so I don't
think this is a good general solution for applications aside from
pam_group.
So I'm closing this bug as wontfix unless a clearer rationale for this
change presents itself.
** Changed in: systemd (Ubuntu Bionic)
Status: New => Won't Fix
** Changed in: systemd (Ubuntu)
Status: New => Invalid
** Changed in: systemd (Ubuntu)
Status: Invalid => Won't Fix
** Changed in: systemd (Ubuntu Cosmic)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1762391
Title:
pam_group.so is not evaluated by gnome-terminal
Status in systemd:
New
Status in gnome-terminal package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Won't Fix
Status in systemd source package in Bionic:
Won't Fix
Status in systemd source package in Cosmic:
Won't Fix
Bug description:
We are using Ubuntu in a university network with lots of ldap users.
To automatically map ldap users/groups to local groups we are using
pam_group.so. This has worked for years.
With the upgrade from Xenial to Bionic /etc/security/group.conf is not
evaluated anymore by gnome-terminal as it runs as systemd --user.
Xterm, ssh, su, and tty* however do work as expected. Only the default
gnome-terminal behaves different.
According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851243
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756458 this
might not be a bug, but a feature.
Nevertheless this behavior is very unexpected when upgrading from
Xenial to Bionic and therefore should at least added to the changelog.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnome-terminal 3.28.0-1ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-10.11-generic 4.15.3
Uname: Linux 4.15.0-10-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 9 13:17:52 2018
InstallationDate: Installed on 2018-03-29 (11 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180321)
SourcePackage: gnome-terminal
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1762391/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
