On 29 Sep, Steve Langasek wrote: > On Wed, Sep 28, 2005 at 09:46:57PM -0700, James Blanford wrote: > >> OK, I was trying to goad you into checking and failed. So I reverted >> the patch myself and rootok is still broken. I hereby change the bug >> to "rootok module is broken and I don't know why". Going back to >> 0.76-23 restores rootok's functionality. > > Which makes even less sense, because the upstream diff between 0.76 > and 0.79 for rootok is nil. > > Are you sure this isn't actually related to the update of login, which > briefly caused /etc/pam.d/su to be missing from the package? I know > you quoted an /etc/pam.d/su config to me earlier, but I'm not seeing > this bug here and if you don't have an SELinux-enabled kernel I really > don't have any other ideas why this is broken for you. > Well, now I think it's pam_wheel.so that's broken. The problem is exposed by this line in /etc/pam.d/su:
auth required pam_wheel.so group=adm If I replace it with: auth required pam_wheel.so functionality is restored. I thought I'd tried it before. What's interesting is that _all_ attempts to su from root fail even with the correct password when the "group=adm" argument is used. I ltraced the su attempt with the 0.76-23 version and compared it to an attempt with the 0.79-1 version minus the 057 patch. The "pam_handle_t" identifier passed by pam_authenticate() was different: pam_authenticate(0x8055bc8, 0, 0x804e620, 0x8056958, 0 vs. pam_authenticate(0x8055bc8, 0, 0x804e620, -1, 0 It doesn't matter what group I use. "group=users" leads to all failures attempting to su from root also. And when I mention "root", I always get there using su. I never log in as root. For that matter it's not allowed. So to reproduce it, add the offending line auth required pam_wheel.so group=somegroup to /etc/pam.d/su, su to root from any user belonging to "somegroup" and then try to su to any other user. Be sure to leave a terminal open as root, in case you can't get to root after making the changes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
