debian/patches-applied/036_pam_wheel_getlogin_considered_harmful


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

Patch for Debian bug #163787 et al

Always use the process uid, not getlogin(), to identify an applicant in
pam_wheel; utmp may be wrong or may have no entry at all in the case of
an xterm

Authors: Ben Collins <bcollins@debian.org>

Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>

Index: pam.debian/modules/pam_wheel/pam_wheel.c
===================================================================
--- pam.debian.orig/modules/pam_wheel/pam_wheel.c
+++ pam.debian/modules/pam_wheel/pam_wheel.c
@@ -60,9 +60,8 @@
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       0x0001
-#define PAM_USE_UID_ARG     0x0002
-#define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010
+#define PAM_TRUST_ARG       0x0002
+#define PAM_DENY_ARG        0x0004
 #define PAM_ROOT_ONLY_ARG   0x0020
 
 static int
@@ -80,8 +79,7 @@
 
           if (!strcmp(*argv,"debug"))
                ctrl |= PAM_DEBUG_ARG;
-          else if (!strcmp(*argv,"use_uid"))
-               ctrl |= PAM_USE_UID_ARG;
+          else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
           else if (!strcmp(*argv,"trust"))
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
@@ -129,27 +127,14 @@
         }
     }
 
-    if (ctrl & PAM_USE_UID_ARG) {
-	tpwd = pam_modutil_getpwuid (pamh, getuid());
-	if (!tpwd) {
-	    if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-	    }
-	    return PAM_SERVICE_ERR;
-	}
-	fromsu = tpwd->pw_name;
-    } else {
-	fromsu = pam_modutil_getlogin(pamh);
-	if (fromsu) {
-	    tpwd = pam_modutil_getpwnam (pamh, fromsu);
-	}
-	if (!fromsu || !tpwd) {
-	    if (ctrl & PAM_DEBUG_ARG) {
-		pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-	    }
-	    return PAM_SERVICE_ERR;
+    tpwd = pam_modutil_getpwuid (pamh, getuid());
+    if (!tpwd) {
+	if (ctrl & PAM_DEBUG_ARG) {
+	    pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
 	}
+	return PAM_SERVICE_ERR;
     }
+    fromsu = tpwd->pw_name;
 
     /*
      * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
Index: pam.debian/modules/pam_wheel/pam_wheel.8.xml
===================================================================
--- pam.debian.orig/modules/pam_wheel/pam_wheel.8.xml
+++ pam.debian/modules/pam_wheel/pam_wheel.8.xml
@@ -33,9 +33,6 @@
       <arg choice="opt">
 	trust
       </arg>
-      <arg choice="opt">
-	use_uid
-      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -115,18 +112,6 @@
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>
-          <option>use_uid</option>
-        </term>
-        <listitem>
-          <para>
-            The check for wheel membership will be done against
-            the current uid instead of the original one (useful when
-            jumping with su from one account to another for example).
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
Index: pam.debian/modules/pam_wheel/pam_wheel.8
===================================================================
--- pam.debian.orig/modules/pam_wheel/pam_wheel.8
+++ pam.debian/modules/pam_wheel/pam_wheel.8
@@ -31,7 +31,7 @@
 pam_wheel \- Only permit root access to members of group wheel
 .SH "SYNOPSIS"
 .HP \w'\fBpam_wheel\&.so\fR\ 'u
-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
+\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
 .SH "DESCRIPTION"
 .PP
 The pam_wheel PAM module is used to enforce the so\-called
@@ -72,11 +72,6 @@
 .RS 4
 The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
 .RE
-.PP
-\fBuse_uid\fR
-.RS 4
-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.
-.RE
 .SH "MODULE TYPES PROVIDED"
 .PP
 The
Index: pam.debian/modules/pam_wheel/README
===================================================================
--- pam.debian.orig/modules/pam_wheel/README
+++ pam.debian/modules/pam_wheel/README
@@ -39,12 +39,6 @@
     modules the wheel members may be able to su to root without being prompted
     for a passwd).
 
-use_uid
-
-    The check for wheel membership will be done against the current uid instead
-    of the original one (useful when jumping with su from one account to
-    another for example).
-
 EXAMPLES
 
 The root account gains access by default (rootok), only wheel members can