pam_group is a historical curiosity. While we should continue to ship it
in pam for compatibility with existing configurations, there is no good
reason to use it in a new deployment, and we should not consider
incompatibility with pam_group to itself be a reason to change the
behavior of a pam application.
Static group memberships should be expressed through NSS, not through
pam_group, so that the system has a consistent view of the memberships.
This includes group memberships at large LDAP installations. You may
want to be using sssd for this.
pam_group's support for dynamic group assignments (time-of-day, etc) is
inherently flawed, because there is no support for runtime revocation of
group membership of Unix processes, and there is no associated service
to reap processes with out-of-policy group memberships. pam_group's
dynamic group assignments should be considered entirely superseded by
logind.
I believe the behavior of calling pam_setcred() from a pam application
that has not first called pam_authenticate() is undefined, so I don't
think this is a good general solution for applications aside from
pam_group.
So I'm closing this bug as wontfix unless a clearer rationale for this
change presents itself.
** Changed in: systemd (Ubuntu Bionic)
Status: New => Won't Fix
** Changed in: systemd (Ubuntu)
Status: New => Invalid
** Changed in: systemd (Ubuntu)
Status: Invalid => Won't Fix
** Changed in: systemd (Ubuntu Cosmic)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu.
https://bugs.launchpad.net/bugs/1762391
Title:
pam_group.so is not evaluated by gnome-terminal
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1762391/+subscriptions
--
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
