Dbus and pam_group.so don't understand each other
Avery Pennarun
apenwarr at gmail.com
Tue Jan 22 07:41:01 PST 2008
On 21/01/2008, Dariem Pérez Herrera <dariemp at uci.cu> wrote:
> I don't know if this is a solved bug or there is still somebody working it on, but there is no
> way for ldap or active direcory users assigned to group plugdev through pam_group.so
> (session group?) to be recognized by dbus/hal, so they can't mount pluggable devices,
> however other applications seems to be perfectly aware of this groups, so the problem is
> not in glibc like some people may think. Any known solution?
Hmm, perhaps dbus/hal are calling getgrent() and friends rather than
using the supplementary groups (getgroups()) assigned to the
connecting process? pam_group.so adds groups to your user at login
time that wouldn't be returned by getgrent(). It seems that
SO_PASSCRED doesn't directly support getting a full list of
supplementary groups.
I gather that you could *supply* a list of supplementary groups during
authentication using an annoying process of sending one SO_PASSCRED
message for each group in your getgroups() list.
But I haven't looked at this part of the dbus/hal/etc code, so I don't
know exactly how this is done currently. I might be guessing wrong
about the problem here.
Have fun,
Avery
More information about the dbus
mailing list