Bug 1105342 - sddm: backport of "Honor PAM's ambient supplemental groups." from 0.18 to 0.17 for Leap 15.0
sddm: backport of "Honor PAM's ambient supplemental groups." from 0.18 to 0.1...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: KDE Workspace (Plasma)
Leap 15.0
Other Other
: P5 - None : Enhancement (vote)
: ---
Assigned To: Fabian Vogt
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-20 12:17 UTC by Tiziano Müller
Modified: 2019-09-05 22:42 UTC (History)
10 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-BACKPORT-of-1bc813d-Honor-PAM-s-ambient-supplemental.patch (3.46 KB, patch)
2018-08-20 12:17 UTC, Tiziano Müller
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tiziano Müller 2018-08-20 12:17:03 UTC
Created attachment 780169 [details]
0001-BACKPORT-of-1bc813d-Honor-PAM-s-ambient-supplemental.patch

The latest release of sddm-0.18 (already in Factory) contains an isolated feature "Honor PAM's ambient supplemental groups." which is very useful in a setup with a directory server to give users node-local group memberships.
It would therefore be really great if we could get this backported to the 0.17 package in Leap 15.0.

The original commit is here:
https://github.com/sddm/sddm/commit/1bc813d08b8130e458a6550ec47fb2bfbe6de080

My backport of the feature is attached to this bug report. The only difference to the original commit is that in 0.17 the variable `pw` is still a pointer and there is no `buffer` to free.

I've tested the patch locally by rebuilding 0.17.0-lp150.9.3.1 from source with the patch applied. My user was in a group `local-docker` and with the following configuration in `/etc/seucrity/group.conf` it became also a member of the group `docker` after login via SDDM:

  *;*;%local-docker;Al0000-2400;docker

Please note: this PAM feature already works out of the box when logging in via SSH or the console, only SDDM was ignoring it until now. There is no LDAP required for testing, two local groups are enough.

See https://help.ubuntu.com/community/LDAPClientAuthentication#Assign_local_groups_to_users for more information.
Comment 1 Andreas Stieger 2018-08-20 13:34:52 UTC
assigning to maintainers to evaluate this backport.
Comment 2 Fabian Vogt 2018-08-20 13:44:58 UTC
This is definitely a feasible backport.

As you already made the patch - can you also submit the package on OBS?

If not, we can do it.
Comment 3 Andreas Stieger 2018-08-20 16:51:41 UTC
It was already submitted:
https://build.opensuse.org/request/show/629453
Can you please reference this bug there? ("boo#1105342")

KDE team, except for that reference, can you cross check the above submission?
Comment 4 Fabian Vogt 2018-08-20 17:10:09 UTC
(In reply to Andreas Stieger from comment #3)
> It was already submitted:
> https://build.opensuse.org/request/show/629453

Indeed, five days ago. Not sure what's up with the mail notification.
I did review the sr which this one superseded...

> Can you please reference this bug there? ("boo#1105342")
> 
> KDE team, except for that reference, can you cross check the above
> submission?

LGTM.
Comment 5 Luiz Angelo Daros de Luca 2018-08-20 17:28:05 UTC
New request:

https://build.opensuse.org/request/show/630567

Now it references this bug.
Comment 6 Andreas Stieger 2018-08-20 17:50:58 UTC
Processed for maintenance. Test update packages will appear in:
http://download.opensuse.org/repositories/openSUSE:/Maintenance:/8613/openSUSE_Leap_15.0_Update/
http://download.opensuse.org/update/leap/15.0-test/
Comment 7 Swamp Workflow Management 2018-08-24 22:13:42 UTC
openSUSE-OU-2018:2506-1: An update that has one optional fix can now be installed.

Category: optional (moderate)
Bug References: 1105342
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    sddm-0.17.0-lp150.9.6.1
Comment 8 Swamp Workflow Management 2018-09-22 07:16:30 UTC
openSUSE-OU-2018:2506-2: An update that has one optional fix can now be installed.

Category: optional (moderate)
Bug References: 1105342
CVE References: 
Sources used:
openSUSE Backports SLE-15 (src):    sddm-0.17.0-bp150.4.3.1
Comment 9 Swamp Workflow Management 2019-09-05 19:15:18 UTC
openSUSE-OU-2019:2075-1: An update that has one optional fix can now be installed.

Category: optional (moderate)
Bug References: 1105342
CVE References: 
Sources used:
openSUSE Backports SLE-15 (src):    sddm-0.17.0-bp150.9.13.1