8430 – pam_group.so is ignored with ThinLinc login

Bug 8430 - pam_group.so is ignored with ThinLinc login

Summary: pam_group.so is ignored with ThinLinc login

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Server OS (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	MediumPrio
Assignee:	Bugzilla mail exporter

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-10-07 09:21 CEST by Martin Karch
Modified:	2024-10-08 13:39 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Martin Karch 2024-10-07 09:21:24 CEST

When logging into my machine via ssh then pam_group.so module works as expected and assigns additional local groups to the logged in user as configured in /etc/security/group.conf.

When logging in via ThinLinc the pam_group.so module seems to be ignored. The users don't get their configured local groups (e.g. sudo).

Comment 1 Pierre Ossman cendio

2024-10-07 09:50:14 CEST

Thank you for the report.

pam_group seems to do its work in the hidden "setcred" stage of PAM, which unfortunately isn't currently performed by ThinLinc.

Looking at sshd, it performs this stage unconditionally, just before the "session" stage. We should probably do the same.

Also, worth to note is that sshd ignores any errors from the "setcred" stage if the "auth" stage isn't performed, which is likely also relevant for us.

Comment 2 Pierre Ossman cendio

2024-10-07 09:57:14 CEST

I did a check of the other PAM modules included in Linux PAM, and could not find any other module that relies solely on "setcred" like pam_group does. So the issue should hopefully not be widespread.

Note You need to log in before you can comment on or make changes to this bug.