Bug 29349
| Summary: | pam_wheel does not check primary group id | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Joshua Goodall <joshua> |
| Component: | bin | Assignee: | Mark Murray <markm> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->markm Mark's our pam head. The patch looks good and tests okay over here. While testing, I was disappointed to see that we're back to square one with su(1) providing no useful information for the various kinds of authentication failure. Does pam have some "verbose messages to stderr, please" option that we could turn on if the user specified -v to su? Ciao, Sheldon. State Changed From-To: open->closed Fixed. Thanks for the report! |
pam_wheel, and therefore, su(1) does not allow a user who is a member of group 0 (in /etc/passwd) to 'su root' unless they are also explicitly listed in /etc/group. From 'man group': A user is automatically in a group if that group was specified in their /etc/passwd entry and does not need to be added to that group in the /etc/group file. Fix: Doesn't this sound very like PR bin/6696? Add appropriate gid check? maybe something like the following diff (builds, not tested). PAM_LOG("Got group: %s", grp->gr_name); - if (in_list(grp->gr_mem, fromsu)) { + if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, fromsu)) { if (pam_test_option(&options, PAM_OPT_DENY, NULL)) PAM_RETURN(PAM_PERM_DENIED); if (pam_test_option(&options, PAM_OPT_TRUST, NULL))--drD2moExYNlXaXsO9zMDroHT8M6JTeIzgdEe1vWULDQdjW6W Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" Index: pam_wheel.c =================================================================== RCS file: /data/joshua/bsd/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v retrieving revision 1.2 diff -u -r1.2 pam_wheel.c --- pam_wheel.c 2001/07/14 08:42:39 1.2 +++ pam_wheel.c 2001/07/31 11:21:11 @@ -122,7 +122,7 @@ How-To-Repeat: Add a user to group 0, but don't add them to /etc/group. Try to 'su root'.