[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM configuration for 'SU'



On Sat, Jul 04, 1998 at 08:25:28AM +0800, Francis A. Vidal wrote:
> On Fri, 3 Jul 1998, Charles R. Anderson wrote:
> 
> > Add the pam_wheel.so module to your /etc/pam.d/su like so:
> > 
> > #%PAM-1.0
> > auth       required   /lib/security/pam_wheel.so group=wheel
> > auth       required	/lib/security/pam_pwdb.so shadow nullok
> > account    required	/lib/security/pam_pwdb.so
> > password   required	/lib/security/pam_cracklib.so
> > password   required	/lib/security/pam_pwdb.so shadow use_authtok nullok
> > session    required	/lib/security/pam_pwdb.so

My /etc/pam.d/su looks
	auth       sufficient pam_rootok.so
	auth       required   pam_wheel.so use_uid group=wheel
	auth       required   pam_pwdb.so
	<other sections>

> 
> i just did what you suggested and i got this message when i 'su' to root
> (with the 'debug' option).
> 
> 	PAM-Wheel[450]: Access denied for 'xxxxx' to 'root'
> 
> where user 'xxxxx' is a member of group wheel(gid=10). i also changed the
> gid from 10 to 0 but still i get the same message.

The observed problems may be a result of a libpwdb bug.
libpwdb returns corrupted information for a last user in /etc/group
entry. For example, unpatched libpwdb gives wrong answer for user saw
for the following /etc/group line:
	wheel::10:root,saw
If your problem doesn't appear for users being not the last in wheel group
members list I can give you the patch for libpwdb.

Best wishes
					Andrey V.
					Savochkin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []