[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Wheel module with trust doesn't work (?)



Once upon a time, alanr@bell-labs.com said:
> I sent this out a few days ago, but received no response.  Did others get it? 
> Should I have sent it to another list instead?
> 
> 
> When I put this line at the top of the 'su' PAM configuration:
> 	auth       sufficient  /lib/security/pam_wheel.so trust
> 
> I (in group wheel, gid=0), is prompted for a password when using su.
> 
> When I change it to this line:
> 
> 	auth    sufficient  /lib/security/pam_wheel.so trust bug-workaround
> 
> (or any invalid keyword in place of bug-workaround), it works correctly (i.e.,
> it doesn't prompt me for a password).  I think the non-"trust" case fails in a
> similar way.
> 
> This looks like a bug to me.  Maybe it's not though (?)
> 
> I'm running Red Hat 5.0 with their latest patches.

I don't know about your problem, but I have another problem with the
wheel module.  I put this line at the top of the standard /etc/pam.d/su:

auth       required     /lib/security/pam_wheel.so group=wheel

I wanted to use a group other than root.  What I found was that when
pam_wheel.so did the group lookup, it opened and read /etc/group itself
(instead of checking the group perms of the running process like the
shadow version of su does).  There is a bug somewhere in the reading,
and the username at the end of the line is garbled (I think the last
character was chopped or a space added; it has been a while since I
looked).  The work around is to put something like this in /etc/group:

wheel::10:root,cadams,lon,npugh,root

Just always leave root at the end of the line.

Anyway, I think pam_wheel.so has several problems.  I started to look at
it some several months ago, right after Red Hat 4.9.1 (the beta) was
released and I noticed the above problem, but I have not had time since.
-- 
Chris Adams - cadams@ro.com
System Administrator - Renaissance Internet Services
I don't speak for anybody but myself - that's enough trouble.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []