I have an application running as user X. User X has primary group Y and a supplementary group Z. I'd like the application authenticate using Radius via PAM. I've installed libpam-radius-auth and I know that /etc/pam_radius_auth.conf is correctly configured since I can login using SSH (which also uses PAM Radius). My application can also authenticate correctly if I set
chmod 444 /etc/pam_radius_auth.conf
. Obviously I don't want to do that since the file contains a shared password.
Now, as far as I've understood /etc/pam_radius_auth.conf needs to be readable by the process (since PAM invocations runs as the user). What surprises me is that
chgrp Z /etc/pam_radius_auth.conf
chmod 440 /etc/pam_radius_auth.conf
doesn't work, but
chgrp Y /etc/pam_radius_auth.conf
chmod 440 /etc/pam_radius_auth.conf
does. Could anyone explain why the file permission (group Z, that is) doesn't work? I can read it from sudo -u X bash. Could it have something to do with the fact that my (upstart) init file for the application contains:
setgid Y
? Also, any proposed fix would be great. Since, user Y has the same name as user X (ie. syslogd:syslogd) I'd prefer not to have /etc/pam_radius_auth.conf owned by group, but rather a global Z group.
Edit: Just in case, I've restarted the process after adding the supplemental group Z to the user X. Still doesn't work.
Edit 2: Looks like the process is not in the correct group:
root@mymachine:/proc/3260# cat status |grep Group
Groups:
I'm pretty certin I am running into this bug: https://bugs.launchpad.net/upstart/+bug/812870