New policy type to check client credentials?
David Zeuthen
david at fubar.dk
Fri Jan 30 12:35:54 PST 2009
On Fri, 2009-01-30 at 19:28 +0100, Michael Biebl wrote:
> Apparently this is used by admins with larger installations (mostly
> ldap backed), where they assign group membership on login via
> pam_group and current dbus fails for that.
Maybe this is off-topic but it sounds to me like pam_group is vulnerable
to the good old "once member of a group, always member of a group"
problem [1]. If so, you really shouldn't be encouraging people to use
such things.
David
[1] : copy any shell to $HOME, chown copied binary to desired group, set
the setgid bit, done
More information about the dbus
mailing list