From owner-freebsd-questions@FreeBSD.ORG Fri Oct 7 15:56:49 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A56BC16A420; Fri, 7 Oct 2005 15:56:49 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BF4E43D45; Fri, 7 Oct 2005 15:56:49 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id E1C3611422; Fri, 7 Oct 2005 11:56:48 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id E087611420; Fri, 7 Oct 2005 11:56:48 -0400 (EDT) Date: Fri, 7 Oct 2005 11:56:48 -0400 (EDT) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: freebsd-questions@freebsd.org Message-ID: <20051007114027.Y95280@arbitor.digitalfreaks.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Rui Paulo , Dag-Erling Smorgrav Subject: pam_rootok(8) + pam.d/sudo symlink to pam.d/su X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 15:56:49 -0000 Every reference(1) to configuring PAM and sudo(8) (in my case, for LDAP), suggests just symlinking [/usr/local/]etc/pam.d/sudo to /etc/pam.d/su However, when I do that, all wheel-group users are automatically passing auth requirements due to: auth sufficient pam_rootok.so no_warn ...which I assume is happening because sudo(8) is running SUID root? ---s--x--x 2 root wheel 105264 Aug 19 12:36 /usr/local/bin/sudo* ...the problem is, that confuses the visudo(8),sudoers(5) policy by effectivly adding: %wheel ALL=(ALL) NOPASSWD: ALL Is this correct? If so, the docs should probably be updated. 1.: http://sudo.rtin.bz/sudo/install.html http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/pam-config.html http://netbsd.org/guide/en/chap-pam.html