Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Oct 2002 15:24:45 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        "David O'Brien" <obrien@FreeBSD.org>
Cc:        "M. Warner Losh" <imp@bsdimp.com>, mark@grondar.za, des@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc group
Message-ID:  <Pine.NEB.3.96L.1021013151933.38261G-100000@fledge.watson.org>
In-Reply-To: <20021013190055.GA57842@dragon.nuxi.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Sun, 13 Oct 2002, David O'Brien wrote:

> On Sun, Oct 13, 2002 at 02:31:24PM -0400, Robert Watson wrote:
> > I believe you accomplish it in the New World Order by dropping pam_wheel
> > from the /etc/pam.d/su requirements.  So I'm guessing that the current
> > /etc/group arrangement with root appearing in both wheel and operator is
> > the right one for the time being.
> 
> This is too engrained in BSD systems and its admins to change.

Could people take a look at the attached patch to pam_wheel.c -- I'd like
to add this (assuming it's completely right) and change the default for
su's invocation of pam_wheel.c to include "exempt_if_empty".

? pam_wheel.8.gz
? pam_wheel.so.2
Index: pam_wheel.8
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.8,v
retrieving revision 1.7
diff -u -r1.7 pam_wheel.8
--- pam_wheel.8	26 Aug 2001 18:09:00 -0000	1.7
+++ pam_wheel.8	13 Oct 2002 19:24:07 -0000
@@ -55,7 +55,7 @@
 .Dq Li wheel .
 .Pp
 The following options may be passed to the authentication module:
-.Bl -tag -width ".Cm auth_as_self"
+.Bl -tag -width ".Cm exempt_if_empty"
 .It Cm debug
 .Xr syslog 3
 debugging information at
@@ -103,6 +103,14 @@
 if the user is authenticating
 to a user
 that is not the superuser.
+.It Cm exempt_if_empty
+return
+.Dv PAM_IGNORE
+if the specified group (default group of
+.Dq Li wheel )
+is empty, providing traditional BSD
+.Xr su 8
+semantics permitting any user to su if the wheel group is empty.
 .El
 .Sh SEE ALSO
 .Xr getlogin 2 ,
Index: pam_wheel.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.11
diff -u -r1.11 pam_wheel.c
--- pam_wheel.c	12 Apr 2002 22:27:25 -0000	1.11
+++ pam_wheel.c	13 Oct 2002 19:24:08 -0000
@@ -59,7 +59,8 @@
 	PAM_OPT_GROUP,
 	PAM_OPT_TRUST,
 	PAM_OPT_AUTH_AS_SELF,
-	PAM_OPT_NOROOT_OK
+	PAM_OPT_NOROOT_OK,
+	PAM_OPT_EXEMPT_IF_EMPTY
 };
 
 static struct opttab other_options[] = {
@@ -68,6 +69,7 @@
 	{ "trust",		PAM_OPT_TRUST },
 	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
 	{ "noroot_ok",		PAM_OPT_NOROOT_OK },
+	{ "exempt_if_empty",	PAM_OPT_EXEMPT_IF_EMPTY },
 	{ NULL, 0 }
 };
 
@@ -152,6 +154,12 @@
 	}
 
 	PAM_LOG("Got group: %s", grp->gr_name);
+
+	/* If the group is empty, see if we exempt empty groups. */
+	if (*(grp->gr_mem) == NULL) {
+		if (pam_test_option(&options, PAM_OPT_EXEMPT_IF_EMPTY, NULL))
+			return (PAM_IGNORE);
+	}
 
 	if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) {
 		if (pam_test_option(&options, PAM_OPT_DENY, NULL)) {

Index: su
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/su,v
retrieving revision 1.8
diff -u -r1.8 su
--- su	18 Apr 2002 17:40:27 -0000	1.8
+++ su	13 Oct 2002 19:24:57 -0000
@@ -7,7 +7,7 @@
 # auth
 auth		sufficient	pam_rootok.so	no_warn
 auth		sufficient	pam_self.so	no_warn
-auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
+auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok exempty_if_empty
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
 auth		sufficient	pam_opie.so	no_warn no_fake_prompts


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021013151933.38261G-100000>