Date: Tue, 31 May 2011 12:12:35 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-security@freebsd.org Subject: pam_ldap + nss_ldap, su(1), group wheel and pam_group Message-ID: <616706222.20110531121235@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help
Hello, Freebsd-security. What is proper way to mix pam_ldap/nss_ldap (no users but root in local files), su(1) and check for group `wheel'? "files" source should have precedence over "ldap" in /etc/nsswitch.conf, for changing user/group by daemons before full network configuration, and for local "root" has priority over any LDAP ones. Group `wheel' should be in /etc/group, because it seems, that it should be available in any conditions. But result of this is conflict, when id(1) shows that user is included into group `wheel' (on LDAP), because `id' uses getgroups(2), but su(1) refuses user, because it uses getgrnam(3), which found group "wheel" in /etc/grousp, where user doesn't belong to group "wheel" :( Is here any `standard' solution to this problem? I know about sudo(8), but I affraid, that this inconsistency could bite somewhere else, and in any case, I want su(1) to work :) Is here any reasons why pam_group(8) is inconsistent with id(1) in way to determine ti which groups user belongs? --=20 // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?616706222.20110531121235>