From owner-freebsd-hackers  Mon Aug  6  7:17:51 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from bugz.infotecs.ru (bugz.infotecs.ru [195.210.139.22])
	by hub.freebsd.org (Postfix) with ESMTP id 394F637B405
	for <freebsd-hackers@freebsd.org>; Mon,  6 Aug 2001 07:17:46 -0700 (PDT)
	(envelope-from vel@bugz.infotecs.ru)
Received: (from root@localhost)
	by bugz.infotecs.ru (8.11.5/8.11.4) id f76IYBO64264
	for freebsd-hackers@freebsd.org; Mon, 6 Aug 2001 18:34:11 GMT
	(envelope-from vel)
From: "Eugene L. Vorokov" <vel@bugz.infotecs.ru>
Message-Id: <200108061834.f76IYBO64264@bugz.infotecs.ru>
Subject: pam_wheel
To: freebsd-hackers@freebsd.org
Date: Mon, 6 Aug 2001 18:34:11 +0000 (GMT)
X-Mailer: ELM [version 2.5 PL5]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hello,

pam_wheel authentication module seems to be broken in -current. Look at
this (from src/lib/libpam/modules/pam_wheel):

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
        struct options options;
        struct passwd *pwd;
        struct group *grp;
        int retval;
        const char *user;
        char *use_group;

        pam_std_option(&options, other_options, argc, argv);

        PAM_LOG("Options processed");

        if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
                pwd = getpwnam(getlogin());
        else {
                retval = pam_get_user(pamh, &user, NULL);
                if (retval != PAM_SUCCESS)
                        PAM_RETURN(retval);    
                pwd = getpwnam(user);
        }
        
        PAM_LOG("Got user: %s", user);
  
        /* Ignore if already uid 0 */
        if (pwd->pw_uid) 
                PAM_RETURN(PAM_IGNORE);

        PAM_LOG("Not superuser");

This piece obviously has at least two errors. First, if PAM_OPT_AUTH_AS_SELF
is true, then value of user is undefined. It should probably log
pwd->pw_name instead. Second, check for root must of course be reversed
and become if (!pwd->pw_uid).

The way it works now, it always returns PAM_IGNORE for all non-root users,
which causes in allowing "su" for anyone who knows root password.

Or am I missing something again ? 8=)

Regards,
Eugene


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message