© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
pam_group is a historical curiosity. While we should continue to ship it in pam for compatibility with existing configurations, there is no good reason to use it in a new deployment, and we should not consider incompatibility with pam_group to itself be a reason to change the behavior of a pam application.
Static group memberships should be expressed through NSS, not through pam_group, so that the system has a consistent view of the memberships. This includes group memberships at large LDAP installations. You may want to be using sssd for this.
pam_group's support for dynamic group assignments (time-of-day, etc) is inherently flawed, because there is no support for runtime revocation of group membership of Unix processes, and there is no associated service to reap processes with out-of-policy group memberships. pam_group's dynamic group assignments should be considered entirely superseded by logind.
I believe the behavior of calling pam_setcred() from a pam application that has not first called pam_authenticate() is undefined, so I don't think this is a good general solution for applications aside from pam_group.
So I'm closing this bug as wontfix unless a clearer rationale for this change presents itself.