Dbus and pam_group.so don't understand each other

Avery Pennarun apenwarr at gmail.com
Wed Jan 23 11:44:44 PST 2008


On Wed, Jan 23, 2008 at 01:54:43PM -0500, =?ISO-8859-1?Q?Dariem_P=E9rez_Herrera_ wrote:

> I don't see how PolicyKit and ConsoleKit can help. Could you explain me a
> little bit more? I was reviewing /etc/dbus-1/system.d/hal.conf . I saw
> there are policies for group plugdev correctly set. I add a policy for
> "domain users" and it worked while the network was connected. On network
> failure this group is lost, and again domain users can't mount pluggable
> devices till restarting dbus. I think the solution should be to use a
> function like getgrent() for obtaining the groups from the group database
> through the NSS mechanism existing in glibc, but just for a given specific
> user and not for the calling process user. I'm not familiar with dbus
> source code (not yet). Can somebody point me where do I should look to fix
> this? Or if is there any patch solving the problem following this idea?

Hi Dariem,

The problem is that getgrent() doesn't know anything about pam_group.so, so
it won't be able to help here.  pam_group.so is only used on session
creation, which is the job of gdm (or whatever you use instead), not dbus.

What do you mean "this group is lost" on network failure?  Lost from where?

The suggestion of PolicyKit/ConsoleKit doesn't solve your problem right
away, but the idea is access control without using unix groups at all, which
avoids this problem (and maybe creates new ones).  Example:
http://hal.freedesktop.org/docs/PolicyKit/intro-define-problem.html

Have fun,

Avery


More information about the dbus mailing list