Bug#295299: libpam-modules: maybe pam_wheel should affect switches to ordinary users too?

Mon, 14 Feb 2005 14:39:32 -0800 

Package: libpam-modules
Version: 0.76-22
Severity: wishlist
Tags: patch

Hi!

I frequently switch to "builder" account with `su -`
and would like to do this without typing password and
without using sudo.

I used "pam_wheel trust" to switch to root without
password and I think it would be OK to provide the same
functionality for ordinary user switches too. Anyway,
if I can `su -` without passwd, I can `su - anyone`
then (without passwd too), i.e. I will be able to
switch to any account without passwd, although in 2
steps.

So there's nothing conceptually wrong with my proposal
in regard to security. The new feature is simply a
transitive closure of an old one (let's call it a
transitive trust).

Moreover, I propose not only to extend "trust"
"transitively", but also make deny feature more strict,
on similar priciple. I.e. let it disable switch to
ordinary users too.

To make the "deny" feature truly transitive, one should
not be allowed to switch to user, which is allowed to
become superuser, though. I.e. "deny" should allow user
switches only inside the "nosu" group (currently I have
not implemented this).

BTW, comments in /etc/pam.d/su are misleading:

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

because only switches to superuser are affected...

-- 
WBR,
xrgtn

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (501, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i586)
Kernel: Linux 2.4.27-debsec
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages libpam-modules depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libcap1                     1:1.10-12    support for getting/setting POSIX.
ii  libdb3                      3.2.9-20     Berkeley v3 Database Libraries [ru
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information

Index: Linux-PAM/modules/pam_wheel/pam_wheel.c
===================================================================
RCS file: /var/cvs/deb/pam/Linux-PAM/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Linux-PAM/modules/pam_wheel/pam_wheel.c     9 Feb 2005 13:19:17 -0000       
1.1
+++ Linux-PAM/modules/pam_wheel/pam_wheel.c     9 Feb 2005 14:20:23 -0000       
1.2
@@ -144,7 +144,7 @@
       */
 
      /* is this user an UID 0 account ? */
-     if(pwd->pw_uid) {
+     if(pwd->pw_uid && !(ctrl & (PAM_TRUST_ARG|PAM_DENY_ARG))) {
         /* no need to check for wheel */
         return PAM_IGNORE;
      }

Reply via email to