From root@edelweiss.dyns.cx  Sat Jun 14 12:18:16 2003
Return-Path: <root@edelweiss.dyns.cx>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BA3C537B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 14 Jun 2003 12:18:16 -0700 (PDT)
Received: from edelweiss.dyns.cx (d226-89-236.home.cgocable.net [24.226.89.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 18B5143FCB
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 14 Jun 2003 12:18:16 -0700 (PDT)
	(envelope-from root@edelweiss.dyns.cx)
Received: by edelweiss.dyns.cx (Postfix, from userid 0)
	id 83A89F74A1; Sat, 14 Jun 2003 15:18:16 -0400 (EDT)
Message-Id: <20030614191816.83A89F74A1@edelweiss.dyns.cx>
Date: Sat, 14 Jun 2003 15:18:16 -0400 (EDT)
From: Kamen Angelov <kamenangelov@netscape.net>
Reply-To: Kamen@edelweiss.dyns.cx,
	"Angelov <kamenangelov"@netscape.net
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pam_group problems (PAM_RUSER used instead of PAM_USER)
X-Send-Pr-Version: 3.113
X-GNATS-Notify: vs

>Number:         53324
>Category:       bin
>Synopsis:       pam_group problems (PAM_RUSER used instead of PAM_USER)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 14 12:20:07 PDT 2003
>Closed-Date:    Sat Jul 30 01:23:51 GMT 2005
>Last-Modified:  Sat Jul 30 01:23:51 GMT 2005
>Originator:     Kamen Angelov
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
Do-Nothing Unlimited
>Environment:
System: FreeBSD edelweiss.dyns.cx 5.1-RELEASE FreeBSD 5.1-RELEASE #11: Sat Jun 14 03:10:32 EDT 2003 root@edelweiss.dyns.cx:/usr/src/sys/i386/compile/EDELWEISS i386

>Description:

I use pam_group to control which users can use which services. I have the following line
in my PAM configuration for my FTP server:

auth requisite pam_group.so group=allow_ftp

With this line uncommented, the server refuses access to everyone: even the users who are supposed to have access to it.

With (mostly) the same PAM setting, I get the following error in the SSHD log:

Jun 14 14:19:07 edelweiss sshd[26043]: error: PAM: authentication error

and then the user is allowed in (?!?!?).

I believe this is a problem with pam_group itself: the module reads the PAM_RUSER field instead of PAM_USER when trying to fetch the username of the user. I believe PAM_USER would be the correct field to read in this context.

When PAM_RUSER is replaced with PAM_USER all warnings disappear and everything seem to work as expected.

>How-To-Repeat:

I believe I answered this above.

>Fix:

Run "Search and Replace" on PAM_RUSER and replace it with PAM_USER.


>Release-Note:
>Audit-Trail:

From: Dag-Erling Smorgrav <des@ofug.org>
To: Kamen@edelweiss.dyns.cx
Cc: "Angelov <kamenangelov"@netscape.net,
	FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: i386/53324: pam_group problems (PAM_RUSER used instead of
 PAM_USER)
Date: Sun, 15 Jun 2003 00:59:41 +0200

 Kamen Angelov <kamenangelov@netscape.net> writes:
 > I believe this is a problem with pam_group itself: the module reads
 > the PAM_RUSER field instead of PAM_USER when trying to fetch the
 > username of the user. I believe PAM_USER would be the correct field
 > to read in this context.
 
 No.  PAM_RUSER is the applicant, PAM_USER is the user you're trying to
 log in as.  The purpose of pam_group(8) is to check that the applicant
 is in the correct group.
 
 The correct solution to your problem would be to make pam_group(8)
 understand the auth_as_self flag, not to blindly change PAM_RUSER to
 PAM_USER.
 
 > When PAM_RUSER is replaced with PAM_USER all warnings disappear and
 > everything seem to work as expected.
 
 Except for su(1), which is what pam_group(8) is intended for.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: open->feedback 
State-Changed-By: vs 
State-Changed-When: Wed Mar 9 20:18:10 GMT 2005 
State-Changed-Why:  
Is des@ explanation sufficient? 


Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: vs 
Responsible-Changed-When: Wed Mar 9 20:18:10 GMT 2005 
Responsible-Changed-Why:  
Reclassify as "bin" 

http://www.freebsd.org/cgi/query-pr.cgi?pr=53324 
State-Changed-From-To: feedback->closed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 30 01:23:44 GMT 2005 
State-Changed-Why:  
Feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=53324 
>Unformatted:
