Bug 161579
| Summary: | pam_wheel restricts "su - otheruser" for users of non wheel group | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Mustafa Mahudhawala <mmahudha> | ||||
| Component: | pam | Assignee: | Tomas Mraz <tmraz> | ||||
| Status: | CLOSED DEFERRED | QA Contact: | Jay Turner <jturner> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.0 | CC: | jbacik, slakshmanarao, srevivo | ||||
| Target Milestone: | --- | Keywords: | FutureFeature | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-09-08 17:21:24 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Mustafa Mahudhawala
2005-06-24 16:30:17 UTC
Created attachment 115943 [details]
Patch to provide additional target_uid option to pam_wheel
Attached above is a patch I wrote for pam_wheel (against pam-0.77-66.5) that provides for an additional parameter "target_uid" using which the pam_wheel restrictions on the group of the user invoking the pam authentication service is applicable only if the target uid matches the uid specified by target_uid parameter. Without this option, pam_wheel works like before. eg. where you want to be able to allow only certain users to be able to su to root, but all users to be able to su to other normal users .. auth required /lib/security/$ISA/pam_wheel.so use_uid target_uid=0 in /etc/pam.d/su This is a known deficiency of pam_wheel in PAM <= 0.77, it was fixed in PAM-0.78 upstream. The option is "root_only" and it is without UID parameter. If adding this feature request will be acked by PM I will rather backport the "root_only" patch so we will be compatible with future RHEL releases. This problem will be resolved in a future major release of Red Hat Enterprise Linux. Red Hat does not currently plan to provide a resolution for this in a Red Hat Enterprise Linux update for currently deployed systems. With the goal of minimizing risk of change for deployed systems, and in response to customer and partner requirements, Red Hat takes a conservative approach when evaluating changes for inclusion in maintenance updates for currently deployed products. The primary objectives of update releases are to enable new hardware platform support and to resolve critical defects. Hi, 1. Wiht PAM = 0.99 , I am using root_only in pam_wheel module from /etc/pam.d/su. That worked. fine in restricting su to root access to group wheel, and still allowing non wheel group users to do su to other accounts. However I thought your solution is better , because target_uid option gives the ability to to restrict , a given group to SU to a specified target_uid account. So would like to try it . But your bug fix doesnt have the procedure to install the fix. can you send any updated on how to install the fix. thanks & regards Lakshmana slakshmanarao |