PAM is reverting the group of devices to user IDs, creating arbitrary wrong results. Examples (nobody logged on from console as no keyboard is attached): (1) (The usual setup) /etc/security/console.perms: [...] <console> 0600 <sound> 0660 root.audio [...] # pam_console_apply -r # ll /dev/sound/dsp crw-rw---- 1 root root 14, 3 11. Nov 23:57 /dev/sound/dsp Result: wrong group on device (2) (A test with my user) [...] <console> 0600 <sound> 0660 christian.users [...] # pam_console_apply -r # ll /dev/sound/dsp crw-rw---- 1 christian 1000 14, 3 11. Nov 23:57 /dev/sound/dsp Result: wrong group 1000 on device, this group does not exist, but is the user id(!) of user christian (3) (A test with a random user) [...] <console> 0600 <sound> 0660 cyrus.audio [...] # pam_console_apply -r # ll /dev/sound/dsp crw-rw---- 1 cyrus usb 14, 3 11. Nov 23:57 /dev/sound/dsp # grep cyrus /etc/passwd cyrus:x:85:12::/usr/cyrus:/bin/false # grep usb /etc/group usb:x:85: Result: PAM has used the group ID of the user instead of the supplied group in console.perms or at least the correct group id of the user. Reproducible: Always Steps to Reproduce: 1. Set up revert permissions in console.perms to a revert-owner that has a group id different from the user id 2. run "pam_console_apply -r" with nobody logged on at the console 3. check group of the affected device Actual Results: The user id of the revert-owner is used as group on the device Expected Results: The supplied revert-group id from console.perms should have been used or at least the group id of the revert-owner I'm running a pure udev system without device tarball: conf.d/rc:RC_DEVICE_TARBALL="no" Installed packages: sys-libs/pam-0.77-r1 sys-apps/baselayout-1.9.4-r6 sys-apps/shadow-4.0.5-r2 # emerge info Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-gentoo-r1 i686) ================================================================= System uname: 2.6.9-gentoo-r1 i686 Intel(R) Celeron(R) CPU 1.70GHz Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux26-headers-2.6.8.1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc distlocks sandbox sfperms" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://gentoo.oregonstate.edu/ http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X alsa apm arts avi bitmap-fonts cdr cups dvd dvdr encode f77 fam flac foomaticdb fortran gif gpm gtk2 imlib java jpeg junit kde libwww mmx mozilla mpeg ncurses nls nptl oggvorbis pam pdflib perl png ppds python qt readline sdl slang spell ssl svga tcpd tiff truetype usb x86 xml2 xmms xv zlib linguas_de"
This appears to be related to bug #31877.
I followed that last weeks the things going on with bug #31877 and all the related bugs. As I understand that the solution to that bug is to remove pam.console from the standard setup as it only causes problems. On the other hand pam.console should work correctly if a user chooses to use it anyway. My finding is that it doesn't do that. I don't know if this is somehow related to me using a udev system. In bug #31877 the comments seem to concentrate on devfs. I will try to reproduce this bug after the plan in bug #31877 is complete.
I missed this, so sorry for the late reply. It was a bad patch - can anybody try pam-0.77-r8 which should fix it ?
I tested and it works as expected now. Many thanks!