Patch for Debian bug #163787 et al Always use the process uid, not getlogin(), to identify an applicant in pam_wheel; utmp may be wrong or may have no entry at all in the case of an xterm Authors: Ben Collins Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> Index: pam.deb/modules/pam_wheel/pam_wheel.c =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.c +++ pam.deb/modules/pam_wheel/pam_wheel.c @@ -60,9 +60,8 @@ /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_TRUST_ARG 0x0002 +#define PAM_DENY_ARG 0x0004 #define PAM_ROOT_ONLY_ARG 0x0020 static int @@ -80,8 +79,7 @@ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; + else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) @@ -129,27 +127,14 @@ } } - if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = pam_modutil_getlogin(pamh); - if (fromsu) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - if (!fromsu || !tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (!tpwd) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } + return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml +++ pam.deb/modules/pam_wheel/pam_wheel.8.xml @@ -33,9 +33,6 @@ trust - - use_uid - @@ -115,18 +112,6 @@ - - - - - - - The check for wheel membership will be done against - the current uid instead of the original one (useful when - jumping with su from one account to another for example). - - - Index: pam.deb/modules/pam_wheel/pam_wheel.8 =================================================================== --- pam.deb.orig/modules/pam_wheel/pam_wheel.8 +++ pam.deb/modules/pam_wheel/pam_wheel.8 @@ -1,64 +1,59 @@ .\" Title: pam_wheel .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 04/16/2008 +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 07/27/2008 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" -.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WHEEL" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_wheel - Only permit root access to members of group wheel +pam_wheel \- Only permit root access to members of group wheel .SH "SYNOPSIS" .HP 13 -\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] .SH "DESCRIPTION" .PP The pam_wheel PAM module is used to enforce the so\-called \fIwheel\fR -group\. By default it permits root access to the system if the applicant user is a member of the +group\&. By default it permits root access to the system if the applicant user is a member of the \fIwheel\fR -group\. If no group with this name exist, the module is using the group with the group\-ID -\fB0\fR\. +group\&. If no group with this name exist, the module is using the group with the group\-ID +\fB0\fR\&. .SH "OPTIONS" .PP \fBdebug\fR .RS 4 -Print debug information\. +Print debug information\&. .RE .PP \fBdeny\fR .RS 4 Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the \fBgroup\fR -option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless +option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless \fBtrust\fR -was also specified, in which case we return PAM_SUCCESS)\. +was also specified, in which case we return PAM_SUCCESS)\&. .RE .PP \fBgroup=\fR\fB\fIname\fR\fR .RS 4 Instead of checking the wheel or GID 0 groups, use the \fB\fIname\fR\fR -group to perform the authentication\. +group to perform the authentication\&. .RE .PP \fBroot_only\fR .RS 4 -The check for wheel membership is done only\. +The check for wheel membership is done only\&. .RE .PP \fBtrust\fR .RS 4 -The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\. -.RE -.PP -\fBuse_uid\fR -.RS 4 -The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. +The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. .RE .SH "MODULE SERVICES PROVIDED" .PP @@ -66,52 +61,52 @@ \fBauth\fR and \fBaccount\fR -services are supported\. +services are supported\&. .SH "RETURN VALUES" .PP PAM_AUTH_ERR .RS 4 -Authentication failure\. +Authentication failure\&. .RE .PP PAM_BUF_ERR .RS 4 -Memory buffer error\. +Memory buffer error\&. .RE .PP PAM_IGNORE .RS 4 -The return value should be ignored by PAM dispatch\. +The return value should be ignored by PAM dispatch\&. .RE .PP PAM_PERM_DENY .RS 4 -Permission denied\. +Permission denied\&. .RE .PP PAM_SERVICE_ERR .RS 4 -Cannot determine the user name\. +Cannot determine the user name\&. .RE .PP PAM_SUCCESS .RS 4 -Success\. +Success\&. .RE .PP PAM_USER_UNKNOWN .RS 4 -User not known\. +User not known\&. .RE .SH "EXAMPLES" .PP -The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\. +The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. .sp .RS 4 .nf -su auth sufficient pam_rootok\.so -su auth required pam_wheel\.so -su auth required pam_unix\.so +su auth sufficient pam_rootok\&.so +su auth required pam_wheel\&.so +su auth required pam_unix\&.so .fi .RE @@ -124,4 +119,4 @@ \fBpam\fR(8) .SH "AUTHOR" .PP -pam_wheel was written by Cristian Gafton \. +pam_wheel was written by Cristian Gafton \&. Index: pam.deb/modules/pam_wheel/README =================================================================== --- pam.deb.orig/modules/pam_wheel/README +++ pam.deb/modules/pam_wheel/README @@ -39,12 +39,6 @@ modules the wheel members may be able to su to root without being prompted for a passwd). -use_uid - - The check for wheel membership will be done against the current uid instead - of the original one (useful when jumping with su from one account to - another for example). - EXAMPLES The root account gains access by default (rootok), only wheel members can