Problems with pam_group + pam_mount

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hash: SHA1

Hello guys,

I'm having problems with the use of pam_group and pam_mount, and I think
the problem is with the order in which PAM API (pam_authenticate,
pam_open_session, pam_setcred, etc) is used by the applications. I'll
try to describe my scenario bellow. Please, any help is welcome.

Here we use LDAP authentication through libpam-ldapd + nslcd and it's
working perfectly. We also would automatic mount the user's HOME from a
remote fileserver, using sshfs (which uses fuse). We does not export the
groups tree from LDAP. So, the solution we used was the combination of
pam_group + pam_mount. In order to load the groups, we configure
/etc/security/group.conf in following way:

- -------8<---------
- ------------------

In order to mount a volume through sshfs, its essential that the user
belongs to group 'fuse', because he needs to access /dev/fuse (which is
granted to the members of that group).

Then, we configure the service login in PAM like the following:

- -------8<----------
# /etc/pam.d/login
auth optional pam_group
auth optional pam_mount
session optional pam_mount
- -------------------

When I call login program, I have an error of 'permission denied in
access to /dev/fuse' and the volume is not mounted. However, when the
login process finish, my user is in the fuse group.

After some debug I could see that:
 - pam_group work at the pam_setcred stage. By 'work' I mean: set the
group membership for the user based on the content of
 - pam_mount do the mount at the pam_open_session stage. In that step,
the user already need access to /dev/fuse, which should be granted by

The problem is that some application like 'login' [1] calls
pam_open_session before pam_setcred and, in this way, pam_mount starts
to work before pam_group have set the groups.

1 -

Even RFC86.0, in section "SAMPLE PAM APPLICATION", shows the use of
pam_open_session before initgroups() and before pam_setcred. But, what
about applications that depends on group membership settings to work in
open_session stage?

Any help or tip is very welcome!

Thanks and sorry for the long e-mail! :)

Kind Regards, Italo.

- -- 

Italo Valcy ::
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux