Try:
wheel:*:0:root,us
It looks like pam was stopping at the first matching line as you would
expect from the man page for the group file. If there is a bug it is in
the more liberal interpretation by other software.
-----Original Message-----
From: owner-freebsd-stable@freebsd.org
[mailto:owner-freebsd-stable@freebsd.org] On Behalf Of Ulrich Spoerlein
Sent: Wednesday, 22 August 2007 5:51 AM
To: stable@freebsd.org
Subject: pam_group vs. multiple group lines
Hi,
I think I found a deficiency wrt. to pam_group (which also hits sudo(8)
so this might be libc related instead).
I found this while trying to migrate groups into LDAP, but you don't
need LDAP to reproduce this, simply place the following in /etc/group
wheel:*:0:root
wheel:*:0:us
% getent group|grep wheel;id
wheel:*:0:root
wheel:*:0:us
uid=1001(us) gid=1000(us) groups=1000(us),0(wheel),80(www)
As you can see, getent(1) and id(1) work fine. File access also works
like expected, except for su(8) (because of pam_group group=wheel in
pam.d/su)
% su -
su: Sorry
Combine the wheel entries back into one line and su(8) suddenly starts
working again. Same problem hits sudo(8) if your are using a %wheel
line. Since there is no pam.d/sudo on my system I think the bug probably
lies in libc itself.
Is this expected behaviour? I'd classify it as bug ...
Cheers,
Ulrich Spoerlein
--
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************