summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/pam_wheel/README17
-rw-r--r--modules/pam_wheel/pam_wheel.c14
2 files changed, 21 insertions, 10 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index b75689e8..2cd156c0 100644
--- a/modules/pam_wheel/README
+++ b/modules/pam_wheel/README
@@ -3,15 +3,15 @@ pam_wheel:
only permit root authentication to members of wheel group
RECOGNIZED ARGUMENTS:
- debug write a message to syslog indicating success or
+ debug Write a message to syslog indicating success or
failure.
- use_uid the check for wheel membership will be done against
+ use_uid The check for wheel membership will be done against
the current uid instead of the original one
(useful when jumping with su from one account to
- another for example)
-
- trust the pam_wheel module will return PAM_SUCCESS instead
+ another for example).
+
+ trust The pam_wheel module will return PAM_SUCCESS instead
of PAM_IGNORE if the user is a member of the wheel
group (thus with a little play stacking the modules
the wheel members may be able to su to root without
@@ -25,8 +25,11 @@ RECOGNIZED ARGUMENTS:
PAM_IGNORE (unless 'trust' was also specified, in
which case we return PAM_SUCCESS).
- group=xxxx Instead of checking the GID 0 group, use the xxxx
- group to perform the authentification.
+ group=xxxx Instead of checking the wheel or GID 0 groups, use
+ the xxxx group to perform the authentification.
+
+ root_only The check for wheel membership is done only
+ if the uid of requested account is 0.
MODULE SERVICES PROVIDED:
auth _authentication, _setcred (blank) and _acct_mgmt
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index 8cd8eb31..92cd44b9 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -75,7 +75,8 @@ static int is_on_list(char * const *list, const char *member)
#define PAM_DEBUG_ARG 0x0001
#define PAM_USE_UID_ARG 0x0002
#define PAM_TRUST_ARG 0x0004
-#define PAM_DENY_ARG 0x0010
+#define PAM_DENY_ARG 0x0010
+#define PAM_ROOT_ONLY_ARG 0x0020
static int _pam_parse(int argc, const char **argv, char *use_group,
size_t group_length)
@@ -97,6 +98,8 @@ static int _pam_parse(int argc, const char **argv, char *use_group,
ctrl |= PAM_TRUST_ARG;
else if (!strcmp(*argv,"deny"))
ctrl |= PAM_DENY_ARG;
+ else if (!strcmp(*argv,"root_only"))
+ ctrl |= PAM_ROOT_ONLY_ARG;
else if (!strncmp(*argv,"group=",6))
strncpy(use_group,*argv+6,group_length-1);
else {
@@ -124,14 +127,19 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl,
return PAM_SERVICE_ERR;
}
- /* su to a uid 0 account ? */
pwd = _pammodutil_getpwnam (pamh, username);
if (!pwd) {
if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_NOTICE,"unknown user %s",username);
- }
+ }
return PAM_USER_UNKNOWN;
}
+ if (ctrl & PAM_ROOT_ONLY_ARG) {
+ /* su to a non uid 0 account ? */
+ if (pwd->pw_uid != 0) {
+ return PAM_IGNORE;
+ }
+ }
if (ctrl & PAM_USE_UID_ARG) {
tpwd = _pammodutil_getpwuid (pamh, getuid());