Date: Sun, 13 Oct 2002 15:24:45 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: "David O'Brien" <obrien@FreeBSD.org> Cc: "M. Warner Losh" <imp@bsdimp.com>, mark@grondar.za, des@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc group Message-ID: <Pine.NEB.3.96L.1021013151933.38261G-100000@fledge.watson.org> In-Reply-To: <20021013190055.GA57842@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 13 Oct 2002, David O'Brien wrote:
> On Sun, Oct 13, 2002 at 02:31:24PM -0400, Robert Watson wrote:
> > I believe you accomplish it in the New World Order by dropping pam_wheel
> > from the /etc/pam.d/su requirements. So I'm guessing that the current
> > /etc/group arrangement with root appearing in both wheel and operator is
> > the right one for the time being.
>
> This is too engrained in BSD systems and its admins to change.
Could people take a look at the attached patch to pam_wheel.c -- I'd like
to add this (assuming it's completely right) and change the default for
su's invocation of pam_wheel.c to include "exempt_if_empty".
? pam_wheel.8.gz
? pam_wheel.so.2
Index: pam_wheel.8
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.8,v
retrieving revision 1.7
diff -u -r1.7 pam_wheel.8
--- pam_wheel.8 26 Aug 2001 18:09:00 -0000 1.7
+++ pam_wheel.8 13 Oct 2002 19:24:07 -0000
@@ -55,7 +55,7 @@
.Dq Li wheel .
.Pp
The following options may be passed to the authentication module:
-.Bl -tag -width ".Cm auth_as_self"
+.Bl -tag -width ".Cm exempt_if_empty"
.It Cm debug
.Xr syslog 3
debugging information at
@@ -103,6 +103,14 @@
if the user is authenticating
to a user
that is not the superuser.
+.It Cm exempt_if_empty
+return
+.Dv PAM_IGNORE
+if the specified group (default group of
+.Dq Li wheel )
+is empty, providing traditional BSD
+.Xr su 8
+semantics permitting any user to su if the wheel group is empty.
.El
.Sh SEE ALSO
.Xr getlogin 2 ,
Index: pam_wheel.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.11
diff -u -r1.11 pam_wheel.c
--- pam_wheel.c 12 Apr 2002 22:27:25 -0000 1.11
+++ pam_wheel.c 13 Oct 2002 19:24:08 -0000
@@ -59,7 +59,8 @@
PAM_OPT_GROUP,
PAM_OPT_TRUST,
PAM_OPT_AUTH_AS_SELF,
- PAM_OPT_NOROOT_OK
+ PAM_OPT_NOROOT_OK,
+ PAM_OPT_EXEMPT_IF_EMPTY
};
static struct opttab other_options[] = {
@@ -68,6 +69,7 @@
{ "trust", PAM_OPT_TRUST },
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
{ "noroot_ok", PAM_OPT_NOROOT_OK },
+ { "exempt_if_empty", PAM_OPT_EXEMPT_IF_EMPTY },
{ NULL, 0 }
};
@@ -152,6 +154,12 @@
}
PAM_LOG("Got group: %s", grp->gr_name);
+
+ /* If the group is empty, see if we exempt empty groups. */
+ if (*(grp->gr_mem) == NULL) {
+ if (pam_test_option(&options, PAM_OPT_EXEMPT_IF_EMPTY, NULL))
+ return (PAM_IGNORE);
+ }
if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) {
if (pam_test_option(&options, PAM_OPT_DENY, NULL)) {
Index: su
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/su,v
retrieving revision 1.8
diff -u -r1.8 su
--- su 18 Apr 2002 17:40:27 -0000 1.8
+++ su 13 Oct 2002 19:24:57 -0000
@@ -7,7 +7,7 @@
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
-auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
+auth requisite pam_wheel.so no_warn auth_as_self noroot_ok exempty_if_empty
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
auth sufficient pam_opie.so no_warn no_fake_prompts
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021013151933.38261G-100000>