pam_group.so is not evaluated by gnome-terminal

I am also using this feature and all previous versions of Ubuntu worked fine with this configuration. However with Bionic the GDM logins no longer add these local groups. Only no graphical logins like su, sudo, ssh, etc... add the appropriate local groups as per the /etc/security/group.conf.

This is a very important feature for us to be able to use Ubuntu with LDAP authentication in our computer labs for students and professors.

There is also a Gnome bug for this at https://gitlab.gnome.org/GNOME/gdm/issues/393#

Status changed to 'Confirmed' because the bug affects multiple users.

According to my tests GDM works as expected - checking groups the user belongs to on different terminal emulators (e.g. xterm) proves that the /etc/security/group.conf groups are correctly applied.

The problem in this case affects gnome-terminal alone (and the problem is present also if using e.g. LightDM instead of GDM).

This is related to the way gnome-terminal-server is started via DBus and executed under systemd --user. It is started under the systemd-user PAM service, so pam_group entry should be added to /etc/pam.d/systemd-user. The problem is systemd will never apply pam_group settings because it does not call pam_setcred.

The issue is reported to systemd along with a PR fixing it:
https://github.com/systemd/systemd/issues/11198

pam_group is a historical curiosity. While we should continue to ship it in pam for compatibility with existing configurations, there is no good reason to use it in a new deployment, and we should not consider incompatibility with pam_group to itself be a reason to change the behavior of a pam application.

Static group memberships should be expressed through NSS, not through pam_group, so that the system has a consistent view of the memberships. This includes group memberships at large LDAP installations. You may want to be using sssd for this.

pam_group's support for dynamic group assignments (time-of-day, etc) is inherently flawed, because there is no support for runtime revocation of group membership of Unix processes, and there is no associated service to reap processes with out-of-policy group memberships. pam_group's dynamic group assignments should be considered entirely superseded by logind.

I believe the behavior of calling pam_setcred() from a pam application that has not first called pam_authenticate() is undefined, so I don't think this is a good general solution for applications aside from pam_group.

So I'm closing this bug as wontfix unless a clearer rationale for this change presents itself.

This issue has been fixed upstream, I believe it makes sense to also have it in Ubuntu.

SRU proposal for Focal (upstream backport).

Please hold on with uploading until https://github.com/systemd/systemd/issues/14567 is resolved.

SRU proposal for focal.

Upstream regression has been resolved and the fix is integrated in the patch.

SRU proposal for bionic.

SRU proposal for eoan.

SRU proposal for eoan (patches split)

SRU proposal for bionic (patches split)

This bug was fixed in the package systemd - 244.1-0ubuntu2

---------------
systemd (244.1-0ubuntu2) focal; urgency=medium

  [ Dimitri John Ledkov ]
  * shutdown: do not detach autoclear loopback devices
    Author: Dimitri John Ledkov
    File: debian/patches/shutdown-do-not-detach-autoclear-loopback-devices.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3978d34b59e98cdd01836c41a10442967636b8fc

  [ Balint Reczey ]
  * Revert upstream commit breaking IPv4 DHCP in LXC containers in 244.1
    (LP: #1857123)
    File: debian/patches/Revert-network-if-sys-is-rw-then-udev-should-be-around.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=39c12f8e736afd1b7bdeb13ff6bccaea85020873

systemd (244.1-0ubuntu1) focal; urgency=medium

  * New upstream version 244.1
    - network: set ipv6 mtu after link-up or device mtu change (LP: #1671951)
    - & other changes
  * Refresh patches.
    - Dropped changes:
      * d/p/lp-1853852-*: fix issues with muliplexed shmat calls (LP: #1853852)
        Files:
        - debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch
        - debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch
        https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=382271662c60c339b0a404c7a1772fe5670516ef
      * d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
        set ipv6 mtu at correct time
  * pstore: Don't start systemd-pstore.service in containers.
    Usually it is not useful and can also fail making
    boot-and-services autopkgtest fail. (LP: #1856729)
    File: debian/patches/pstore-Don-t-start-systemd-pstore.service-in-containers.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=28b5a03769cbed9d3170ebac38508b867530a2d6
  * Revert: network: do not drop foreign config if interface is in initialized state.
    This fixes FTBFS with the other network-related reverts.
    File: debian/patches/Revert-network-do-not-drop-foreign-config-if-interface-is.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=22a9fa3bb03ba2a629926af39ea7df81fe33c9b8

systemd (244-3ubuntu5) focal; urgency=medium

  [ Dariusz Gadomski ]
  * d/p/lp1762391/0001-user-util-Add-helper-functions-for-gid-lists-operati.patch,
    d/p/lp1762391/0002-execute-Restore-call-to-pam_setcred.patch,
    d/p/lp1762391/0003-execute-Detect-groups-added-by-PAM-and-merge-them-wi.patch,
    d/p/lp1762391/0004-test-Add-tests-for-gid-list-ops.patch,
    d/p/lp1762391/0005-execute-add-const-to-array-parameters-where-possible.patch,
    d/p/lp1762391/0006-execute-allow-pam_setcred-to-fail-ignore-errors.patch:
    - Restore call to pam_setcred (LP: #1762391)

  [ Dan Streetman ]
  * d/t/storage: without scsi_debug, skip test (LP: #1847816)

systemd (244-3ubuntu4) focal; urgency=medium

  * d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
    set ipv6 mtu at correct time (LP: #1671951)
  * d/p/0001-network-rename-linux_configure_after_setting_mtu-to-linux.patch,
    d/p/0002-network-add-link-setting_genmode-flag.patc...

systemd in Xenial differs to much to cleanly apply the upstream fix. It would require reimplementing it and may be more risky than useful.

Marking Won't fix.

Hello mtemp, or anyone else affected,

Accepted systemd into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/242-7ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello mtemp, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.34 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted systemd (237-3ubuntu10.34) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

php7.2/7.2.24-0ubuntu0.18.04.2 (armhf)
openssh/1:7.6p1-4ubuntu0.3 (arm64, armhf, ppc64el, amd64, s390x, i386)
dovecot/1:2.2.33.2-1ubuntu4.5 (armhf)
gvfs/1.36.1-0ubuntu1.3.3 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted systemd (242-7ubuntu3.3) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

samba/2:4.10.7+dfsg-0ubuntu2.4 (armhf)
netplan.io/0.98-0ubuntu1 (amd64, ppc64el)
gnome-desktop3/3.34.2-2ubuntu1~19.10.1 (armhf)
systemd/242-7ubuntu3.3 (ppc64el, arm64)
munin/2.0.49-3ubuntu1 (armhf)
bolt/0.8-4 (armhf)
umockdev/0.13.2-1 (armhf)
openssh/1:8.0p1-6build1 (amd64, ppc64el, i386, s390x, arm64, armhf)
linux-oem-osp1/5.0.0-1037.42 (amd64)
multipath-tools/unknown (armhf)
knot-resolver/3.2.1-3 (amd64, ppc64el)
lxc/3.0.4-0ubuntu1 (amd64, ppc64el, i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I have just verified bionic. With version 237-3ubuntu10.34 after replaying test case from the description I see the groups from /etc/security/group.conf (dialout, users) added:

ubuntu@bionic:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin sambashare vboxsf

With identical setup and testcase for eoan I have managed to successfully verify the patch with version 242-7ubuntu3.3:

ubuntu@eoan:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin lxd sambashare
ubuntu@eoan:~$

This SRU needs to be reuploaded, due to security update that trumped this in progress SRU.

Hello mtemp, or anyone else affected,

Accepted systemd into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/242-7ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello mtemp, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.39 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted systemd (237-3ubuntu10.39) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

php7.2/7.2.24-0ubuntu0.18.04.2 (armhf)
gvfs/1.36.1-0ubuntu1.3.3 (ppc64el)
lxc/3.0.3-0ubuntu1~18.04.1 (amd64)
systemd/237-3ubuntu10.39 (i386)
netplan.io/0.98-0ubuntu1~18.04.1 (i386, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted systemd (242-7ubuntu3.7) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

remctl/3.15-1build2 (armhf)
systemd-bootchart/unknown (armhf)
netplan.io/0.98-0ubuntu1 (amd64)
systemd/242-7ubuntu3.7 (ppc64el, s390x)
sks/unknown (armhf)
munin/2.0.49-3ubuntu1 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I have repeated verification for eoan (242-7ubuntu3.7) with identical results.

ubuntu@eoan:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin lxd sambashare

Similarly for bionic using version 237-3ubuntu10.39 verification was also successsful:

ubuntu@bionic:~$ groups
ubuntu adm dialout cdrom sudo dip plugdev users lpadmin sambashare vboxsf

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package systemd - 242-7ubuntu3.7

---------------
systemd (242-7ubuntu3.7) eoan; urgency=medium

  [ Dariusz Gadomski ]
  * d/p/lp1762391/0001-Call-getgroups-to-know-size-of-supplementary-groups-.patch,
    d/p/lp1762391/0002-user-util-tweak-to-in_gid.patch,
    d/p/lp1762391/0003-user-util-Add-helper-functions-for-gid-lists-operati.patch,
    d/p/lp1762391/0004-execute-Restore-call-to-pam_setcred.patch,
    d/p/lp1762391/0005-execute-Detect-groups-added-by-PAM-and-merge-them-wi.patch,
    d/p/lp1762391/0006-test-Add-tests-for-gid-list-ops.patch,
    d/p/lp1762391/0007-execute-add-const-to-array-parameters-where-possible.patch,
    d/p/lp1762391/0008-execute-allow-pam_setcred-to-fail-ignore-errors.patch:
    - Restore call to pam_setcred (LP: #1762391)

  * d/p/lp1846232/0001-network-honor-MTUBytes-setting.patch,
    d/p/lp1846232/0002-network-bump-MTU-bytes-only-when-MTUByte-is-not-set.patch:
    - do not always bump MTU with additional 4bytes (LP: #1846232)
  * d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
    - set ipv6 mtu at correct time (LP: #1671951)
  * d/p/lp1845909/0001-network-rename-linux_configure_after_setting_mtu-to-linux.patch,
    d/p/lp1845909/0002-network-add-link-setting_genmode-flag.patch,
    d/p/lp1845909/0003-network-if-ipv6ll-is-disabled-enumerate-tentative-ipv6-ad.patch,
    d/p/lp1845909/0004-network-drop-foreign-config-after-addr_gen_mode-has-been-.patch,
    d/p/lp1845909/0005-network-drop-IPv6LL-address-when-LinkLocalAddressing.patch:
    - drop foreign config and raise interface after setting genmode
      (LP: #1845909)
  * d/t/storage: without scsi_debug, skip test (LP: #1847816)

 -- Dan Streetman <email address hidden> Thu, 06 Feb 2020 09:45:57 -0500

This bug was fixed in the package systemd - 237-3ubuntu10.39

---------------
systemd (237-3ubuntu10.39) bionic; urgency=medium

  [ Dariusz Gadomski ]
  * d/p/lp1762391/0001-Call-getgroups-to-know-size-of-supplementary-groups-.patch,
    d/p/lp1762391/0002-user-util-tweak-to-in_gid.patch,
    d/p/lp1762391/0003-user-util-Add-helper-functions-for-gid-lists-operati.patch,
    d/p/lp1762391/0004-execute-Restore-call-to-pam_setcred.patch,
    d/p/lp1762391/0005-execute-Detect-groups-added-by-PAM-and-merge-them-wi.patch,
    d/p/lp1762391/0006-test-Add-tests-for-gid-list-ops.patch,
    d/p/lp1762391/0007-execute-add-const-to-array-parameters-where-possible.patch,
    d/p/lp1762391/0008-execute-allow-pam_setcred-to-fail-ignore-errors.patch:
    - Restore call to pam_setcred (LP: #1762391)

  [ Ioanna Alifieraki ]
  * d/p/lp1860548/0001-Revert-Replace-use-of-snprintf-with-xsprintf.patch,
    d/p/lp1860548/0002-job-truncate-unit-description.patch:
    - use snprintf instead of xsprintf (LP: #1860548)

  [ Dan Streetman ]
  * d/p/lp1833193-network-update-address-when-static-address-was-alrea.patch:
    - Update lft when static addr was cfg by dhcp (LP: #1833193)
  * d/p/lp1849261/0001-core-when-we-can-t-enqueue-OnFailure-job-show-full-e.patch,
    d/p/lp1849261/0002-core-don-t-trigger-OnFailure-deps-when-a-unit-is-goi.patch:
    - Only trigger OnFailure= if Restart= is not in effect (LP: #1849261)
  * d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
    - set ipv6 mtu at correct time (LP: #1671951)
  * d/p/lp1845909/0001-networkd-honour-LinkLocalAddressing.patch,
    d/p/lp1845909/0002-networkd-fix-link_up-12505.patch,
    d/p/lp1845909/0003-network-do-not-send-ipv6-token-to-kernel.patch,
    d/p/lp1845909/0004-network-rename-linux_configure_after_setting_mtu-to-linux.patch,
    d/p/lp1845909/0005-network-add-link-setting_genmode-flag.patch,
    d/p/lp1845909/0006-network-if-ipv6ll-is-disabled-enumerate-tentative-ipv6-ad.patch,
    d/p/lp1845909/0007-network-drop-foreign-config-after-addr_gen_mode-has-been-.patch,
    d/p/lp1845909/0008-network-drop-IPv6LL-address-when-LinkLocalAddressing.patch:
    - if LinkLocalAddressing=no prevent creation of ipv6ll (LP: #1845909)
  * d/p/lp1859862-network-Do-not-disable-IPv6-by-writing-to-sysctl.patch:
    - enable ipv6 when needed (LP: #1859862)
  * d/p/lp1836695-networkd-Add-back-static-routes-after-DHCPv4-lease-e.patch:
    - (re)add static routes after getting dhcp4 addr (LP: #1836695)
  * d/t/storage:
    - fix buggy test (LP: #1831459)
    - without scsi_debug, skip test (LP: #1847816)

 -- Dan Streetman <email address hidden> Thu, 06 Feb 2020 10:00:49 -0500

upstream systemd issue is https://github.com/systemd/systemd/issues/11198
As launchpad was failing to sync the status of the upstream issue, I just marked it manually as fix released.