Dbus and pam_group.so don't understand each other
Simon McVittie
simon.mcvittie at collabora.co.uk
Thu Jan 24 01:20:27 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 23 Jan 2008 at 15:25:41 -0500, Dariem Pérez Herrera wrote:
> Oh, my mistake. I should said something like getgroups(), but receiving an user as argument. Well, maybe this function doesn't exist, but maybe there is some alternative way...
If you're using pam_group, this wouldn't work, though... it'd have to
take a *process ID* as an argument, because the way pam_group works is
to add an extra group ID to processes in the session. There's no concept
of modifying the *user* in pam_group - to do this, you'd have to modify
something used as input by NSS, like /etc/group or whatever.
A similar issue: if you use sg(1) or newgrp(1) to give an extra group to
certain processes, D-Bus won't necessarily believe you have that group
(whether it does or not will depend on the precise implementation of
libdbus and of the platform).
Extending D-Bus' use of SCM_CREDENTIALS/SO_PASSCRED/etc. to send one set
of credentials per group, rather than just the primary group ID, might be
sufficient to fix this on some platforms (those that don't need to send
at least one byte per set of credentials).
Simon
-----BEGIN PGP SIGNATURE-----
iD8DBQFHmFhbWSc8zVUw7HYRAvqbAJ9SknnFpTvU/08RnvBf/bgorW/E+wCfbQm/
C+rjU2RwHLsn9MAfm6nooYQ=
=wPfz
-----END PGP SIGNATURE-----
More information about the dbus
mailing list