From owner-cvs-all  Sun Oct 13 12:25:29 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6960837B401; Sun, 13 Oct 2002 12:25:26 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 61F4643E91; Sun, 13 Oct 2002 12:25:24 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9DJOkOo040406;
	Sun, 13 Oct 2002 15:24:46 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 13 Oct 2002 15:24:45 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "David O'Brien" <obrien@FreeBSD.org>
Cc: "M. Warner Losh" <imp@bsdimp.com>, mark@grondar.za,
	des@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc group
In-Reply-To: <20021013190055.GA57842@dragon.nuxi.com>
Message-ID: <Pine.NEB.3.96L.1021013151933.38261G-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Sun, 13 Oct 2002, David O'Brien wrote:

> On Sun, Oct 13, 2002 at 02:31:24PM -0400, Robert Watson wrote:
> > I believe you accomplish it in the New World Order by dropping pam_wheel
> > from the /etc/pam.d/su requirements.  So I'm guessing that the current
> > /etc/group arrangement with root appearing in both wheel and operator is
> > the right one for the time being.
> 
> This is too engrained in BSD systems and its admins to change.

Could people take a look at the attached patch to pam_wheel.c -- I'd like
to add this (assuming it's completely right) and change the default for
su's invocation of pam_wheel.c to include "exempt_if_empty".

? pam_wheel.8.gz
? pam_wheel.so.2
Index: pam_wheel.8
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.8,v
retrieving revision 1.7
diff -u -r1.7 pam_wheel.8
--- pam_wheel.8	26 Aug 2001 18:09:00 -0000	1.7
+++ pam_wheel.8	13 Oct 2002 19:24:07 -0000
@@ -55,7 +55,7 @@
 .Dq Li wheel .
 .Pp
 The following options may be passed to the authentication module:
-.Bl -tag -width ".Cm auth_as_self"
+.Bl -tag -width ".Cm exempt_if_empty"
 .It Cm debug
 .Xr syslog 3
 debugging information at
@@ -103,6 +103,14 @@
 if the user is authenticating
 to a user
 that is not the superuser.
+.It Cm exempt_if_empty
+return
+.Dv PAM_IGNORE
+if the specified group (default group of
+.Dq Li wheel )
+is empty, providing traditional BSD
+.Xr su 8
+semantics permitting any user to su if the wheel group is empty.
 .El
 .Sh SEE ALSO
 .Xr getlogin 2 ,
Index: pam_wheel.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.11
diff -u -r1.11 pam_wheel.c
--- pam_wheel.c	12 Apr 2002 22:27:25 -0000	1.11
+++ pam_wheel.c	13 Oct 2002 19:24:08 -0000
@@ -59,7 +59,8 @@
 	PAM_OPT_GROUP,
 	PAM_OPT_TRUST,
 	PAM_OPT_AUTH_AS_SELF,
-	PAM_OPT_NOROOT_OK
+	PAM_OPT_NOROOT_OK,
+	PAM_OPT_EXEMPT_IF_EMPTY
 };
 
 static struct opttab other_options[] = {
@@ -68,6 +69,7 @@
 	{ "trust",		PAM_OPT_TRUST },
 	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
 	{ "noroot_ok",		PAM_OPT_NOROOT_OK },
+	{ "exempt_if_empty",	PAM_OPT_EXEMPT_IF_EMPTY },
 	{ NULL, 0 }
 };
 
@@ -152,6 +154,12 @@
 	}
 
 	PAM_LOG("Got group: %s", grp->gr_name);
+
+	/* If the group is empty, see if we exempt empty groups. */
+	if (*(grp->gr_mem) == NULL) {
+		if (pam_test_option(&options, PAM_OPT_EXEMPT_IF_EMPTY, NULL))
+			return (PAM_IGNORE);
+	}
 
 	if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) {
 		if (pam_test_option(&options, PAM_OPT_DENY, NULL)) {

Index: su
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/su,v
retrieving revision 1.8
diff -u -r1.8 su
--- su	18 Apr 2002 17:40:27 -0000	1.8
+++ su	13 Oct 2002 19:24:57 -0000
@@ -7,7 +7,7 @@
 # auth
 auth		sufficient	pam_rootok.so	no_warn
 auth		sufficient	pam_self.so	no_warn
-auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
+auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok exempty_if_empty
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
 auth		sufficient	pam_opie.so	no_warn no_fake_prompts


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message