Date: Sun, 13 Oct 2002 15:24:45 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: "David O'Brien" <obrien@FreeBSD.org> Cc: "M. Warner Losh" <imp@bsdimp.com>, mark@grondar.za, des@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc group Message-ID: <Pine.NEB.3.96L.1021013151933.38261G-100000@fledge.watson.org> In-Reply-To: <20021013190055.GA57842@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 13 Oct 2002, David O'Brien wrote: > On Sun, Oct 13, 2002 at 02:31:24PM -0400, Robert Watson wrote: > > I believe you accomplish it in the New World Order by dropping pam_wheel > > from the /etc/pam.d/su requirements. So I'm guessing that the current > > /etc/group arrangement with root appearing in both wheel and operator is > > the right one for the time being. > > This is too engrained in BSD systems and its admins to change. Could people take a look at the attached patch to pam_wheel.c -- I'd like to add this (assuming it's completely right) and change the default for su's invocation of pam_wheel.c to include "exempt_if_empty". ? pam_wheel.8.gz ? pam_wheel.so.2 Index: pam_wheel.8 =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.8,v retrieving revision 1.7 diff -u -r1.7 pam_wheel.8 --- pam_wheel.8 26 Aug 2001 18:09:00 -0000 1.7 +++ pam_wheel.8 13 Oct 2002 19:24:07 -0000 @@ -55,7 +55,7 @@ .Dq Li wheel . .Pp The following options may be passed to the authentication module: -.Bl -tag -width ".Cm auth_as_self" +.Bl -tag -width ".Cm exempt_if_empty" .It Cm debug .Xr syslog 3 debugging information at @@ -103,6 +103,14 @@ if the user is authenticating to a user that is not the superuser. +.It Cm exempt_if_empty +return +.Dv PAM_IGNORE +if the specified group (default group of +.Dq Li wheel ) +is empty, providing traditional BSD +.Xr su 8 +semantics permitting any user to su if the wheel group is empty. .El .Sh SEE ALSO .Xr getlogin 2 , Index: pam_wheel.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v retrieving revision 1.11 diff -u -r1.11 pam_wheel.c --- pam_wheel.c 12 Apr 2002 22:27:25 -0000 1.11 +++ pam_wheel.c 13 Oct 2002 19:24:08 -0000 @@ -59,7 +59,8 @@ PAM_OPT_GROUP, PAM_OPT_TRUST, PAM_OPT_AUTH_AS_SELF, - PAM_OPT_NOROOT_OK + PAM_OPT_NOROOT_OK, + PAM_OPT_EXEMPT_IF_EMPTY }; static struct opttab other_options[] = { @@ -68,6 +69,7 @@ { "trust", PAM_OPT_TRUST }, { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, { "noroot_ok", PAM_OPT_NOROOT_OK }, + { "exempt_if_empty", PAM_OPT_EXEMPT_IF_EMPTY }, { NULL, 0 } }; @@ -152,6 +154,12 @@ } PAM_LOG("Got group: %s", grp->gr_name); + + /* If the group is empty, see if we exempt empty groups. */ + if (*(grp->gr_mem) == NULL) { + if (pam_test_option(&options, PAM_OPT_EXEMPT_IF_EMPTY, NULL)) + return (PAM_IGNORE); + } if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) { if (pam_test_option(&options, PAM_OPT_DENY, NULL)) { Index: su =================================================================== RCS file: /home/ncvs/src/etc/pam.d/su,v retrieving revision 1.8 diff -u -r1.8 su --- su 18 Apr 2002 17:40:27 -0000 1.8 +++ su 13 Oct 2002 19:24:57 -0000 @@ -7,7 +7,7 @@ # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn -auth requisite pam_wheel.so no_warn auth_as_self noroot_ok +auth requisite pam_wheel.so no_warn auth_as_self noroot_ok exempty_if_empty #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self auth sufficient pam_opie.so no_warn no_fake_prompts To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021013151933.38261G-100000>