Patch for Debian bug #163787 et al Always use the process uid, not getlogin(), to identify an applicant in pam_wheel; utmp may be wrong or may have no entry at all in the case of an xterm Authors: Ben Collins Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> Index: pam.deb/modules/pam_wheel/pam_wheel.c =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.c +++ pam.deb/modules/pam_wheel/pam_wheel.c @@ -60,9 +60,8 @@ /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_TRUST_ARG 0x0002 +#define PAM_DENY_ARG 0x0004 #define PAM_ROOT_ONLY_ARG 0x0020 static int @@ -80,8 +79,7 @@ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; + else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) @@ -129,27 +127,14 @@ } } - if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = pam_modutil_getlogin(pamh); - if (fromsu) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - if (!fromsu || !tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (!tpwd) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } + return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml +++ pam.deb/modules/pam_wheel/pam_wheel.8.xml @@ -33,9 +33,6 @@ trust - - use_uid - @@ -115,18 +112,6 @@ - - - - - - - The check for wheel membership will be done against - the current uid instead of the original one (useful when - jumping with su from one account to another for example). - - - Index: pam.deb/modules/pam_wheel/pam_wheel.8 =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.8 +++ pam.deb/modules/pam_wheel/pam_wheel.8 @@ -1,161 +1,13 @@ +'\" t .\" Title: pam_wheel .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.74.0 -.\" Date: 03/02/2009 +.\" Generator: DocBook XSL Stylesheets v1.75.2 +.\" Date: 08/24/2009 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_WHEEL" "8" "03/02/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * (re)Define some macros -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" toupper - uppercase a string (locale-aware) -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de toupper -.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -\\$* -.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH-xref - format a cross-reference to an SH section -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de SH-xref -.ie n \{\ -.\} -.toupper \\$* -.el \{\ -\\$* -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH - level-one heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SH -.\" put an extra blank line of space above the head in non-TTY output -.if t \{\ -.sp 1 -.\} -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[an-margin]u -.ti 0 -.HTML-TAG ".NH \\n[an-level]" -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -\." make the size of the head bigger -.ps +3 -.ft B -.ne (2v + 1u) -.ie n \{\ -.\" if n (TTY output), use uppercase -.toupper \\$* -.\} -.el \{\ -.nr an-break-flag 0 -.\" if not n (not TTY), use normal case (not uppercase) -\\$1 -.in \\n[an-margin]u -.ti 0 -.\" if not n (not TTY), put a border/line under subheading -.sp -.6 -\l'\n(.lu' -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SS - level-two heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SS -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[IN]u -.ti \\n[SN]u -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.ps \\n[PS-SS]u -\." make the size of the head bigger -.ps +2 -.ft B -.ne (2v + 1u) -.if \\n[.$] \&\\$* -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BB/BE - put background/screen (filled box) around block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BB -.if t \{\ -.sp -.5 -.br -.in +2n -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EB -.if t \{\ -.if "\\$2"adjust-for-leading-newline" \{\ -.sp -1 -.\} -.br -.di -.in -.ll -.gcolor -.nr BW \\n(.lu-\\n(.i -.nr BH \\n(dn+.5v -.ne \\n(BHu+.5v -.ie "\\$2"adjust-for-leading-newline" \{\ -\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.el \{\ -\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.in 0 -.sp -.5v -.nf -.BX -.in -.sp .5v -.fi -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BM/EM - put colored marker in margin next to block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BM -.if t \{\ -.br -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EM -.if t \{\ -.br -.di -.ll -.gcolor -.nr BH \\n(dn -.ne \\n(BHu -\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -.in 0 -.nf -.BX -.in -.fi -.\} -.. +.TH "PAM_WHEEL" "8" "08/24/2009" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -166,13 +18,11 @@ .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- -.SH "Name" +.SH "NAME" pam_wheel \- Only permit root access to members of group wheel -.SH "Synopsis" -.fam C +.SH "SYNOPSIS" .HP \w'\fBpam_wheel\&.so\fR\ 'u -\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] -.fam +\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] .SH "DESCRIPTION" .PP The pam_wheel PAM module is used to enforce the so\-called @@ -213,11 +63,6 @@ .RS 4 The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. .RE -.PP -\fBuse_uid\fR -.RS 4 -The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. -.RE .SH "MODULE TYPES PROVIDED" .PP The @@ -268,26 +113,12 @@ .if n \{\ .RS 4 .\} -.fam C -.ps -1 .nf -.if t \{\ -.sp -1 -.\} -.BB lightgray adjust-for-leading-newline -.sp -1 - su auth sufficient pam_rootok\&.so su auth required pam_wheel\&.so su auth required pam_unix\&.so -.EB lightgray adjust-for-leading-newline -.if t \{\ -.sp 1 -.\} .fi -.fam -.ps +1 .if n \{\ .RE .\} Index: pam.deb/modules/pam_wheel/README =================================================================== --- pam.deb.orig/modules/pam_wheel/README +++ pam.deb/modules/pam_wheel/README @@ -39,12 +39,6 @@ modules the wheel members may be able to su to root without being prompted for a passwd). -use_uid - - The check for wheel membership will be done against the current uid instead - of the original one (useful when jumping with su from one account to - another for example). - EXAMPLES The root account gains access by default (rootok), only wheel members can