From 0185894c8971caf571087ff5ef9b022968544a39 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 11 Nov 2004 13:04:55 +0000 Subject: Relevant BUGIDs: Red Hat bz 73351 Purpose of commit: new feature Commit summary: --------------- Add only_root option to pam_wheel to make it affect only authentication to root account. --- modules/pam_wheel/README | 17 ++++++++++------- modules/pam_wheel/pam_wheel.c | 14 +++++++++++--- 2 files changed, 21 insertions(+), 10 deletions(-) (limited to 'modules') diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index b75689e8..2cd156c0 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -3,15 +3,15 @@ pam_wheel: only permit root authentication to members of wheel group RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or + debug Write a message to syslog indicating success or failure. - use_uid the check for wheel membership will be done against + use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to - another for example) - - trust the pam_wheel module will return PAM_SUCCESS instead + another for example). + + trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without @@ -25,8 +25,11 @@ RECOGNIZED ARGUMENTS: PAM_IGNORE (unless 'trust' was also specified, in which case we return PAM_SUCCESS). - group=xxxx Instead of checking the GID 0 group, use the xxxx - group to perform the authentification. + group=xxxx Instead of checking the wheel or GID 0 groups, use + the xxxx group to perform the authentification. + + root_only The check for wheel membership is done only + if the uid of requested account is 0. MODULE SERVICES PROVIDED: auth _authentication, _setcred (blank) and _acct_mgmt diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 8cd8eb31..92cd44b9 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -75,7 +75,8 @@ static int is_on_list(char * const *list, const char *member) #define PAM_DEBUG_ARG 0x0001 #define PAM_USE_UID_ARG 0x0002 #define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_DENY_ARG 0x0010 +#define PAM_ROOT_ONLY_ARG 0x0020 static int _pam_parse(int argc, const char **argv, char *use_group, size_t group_length) @@ -97,6 +98,8 @@ static int _pam_parse(int argc, const char **argv, char *use_group, ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) ctrl |= PAM_DENY_ARG; + else if (!strcmp(*argv,"root_only")) + ctrl |= PAM_ROOT_ONLY_ARG; else if (!strncmp(*argv,"group=",6)) strncpy(use_group,*argv+6,group_length-1); else { @@ -124,14 +127,19 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, return PAM_SERVICE_ERR; } - /* su to a uid 0 account ? */ pwd = _pammodutil_getpwnam (pamh, username); if (!pwd) { if (ctrl & PAM_DEBUG_ARG) { _pam_log(LOG_NOTICE,"unknown user %s",username); - } + } return PAM_USER_UNKNOWN; } + if (ctrl & PAM_ROOT_ONLY_ARG) { + /* su to a non uid 0 account ? */ + if (pwd->pw_uid != 0) { + return PAM_IGNORE; + } + } if (ctrl & PAM_USE_UID_ARG) { tpwd = _pammodutil_getpwuid (pamh, getuid()); -- cgit v1.2.3