Red Hat Bugzilla – Bug 161579
pam_wheel restricts "su - otheruser" for users of non wheel group
Last modified: 2015-01-07 19:10:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Description of problem:
Though the README for pam_wheel says it restricts only root authentication for users other than members of group wheel, in practice it restricts authentication for any other user as well, eg.
When you enable pam_wheel for su, using ..
auth required /lib/security/$ISA/pam_wheel.so debug use_uid
Users not in wheel group, cannot do a "su - otheruser" also, whereas they should only be restricted from "su -" or "su - root"
Many times the requirement is for restricting only root access via su for selected members, where as other users should be able to change to non root users using "su - otheruser"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
As in Description.
Actual Results: su - otheruser fails.
Expected Results: should succeed.
However, correcting this could have security implications for existing pam_wheel users who rely on this incorrect pam_wheel behaviour. Hence suggest having an additional option for pam_wheel.
Created attachment 115943 [details]
Patch to provide additional target_uid option to pam_wheel
Attached above is a patch I wrote for pam_wheel (against pam-0.77-66.5) that
provides for an additional parameter "target_uid" using which the pam_wheel
restrictions on the group of the user invoking the pam authentication service is
applicable only if the target uid matches the uid specified by target_uid parameter.
Without this option, pam_wheel works like before.
eg. where you want to be able to allow only certain users to be able to su to
root, but all users to be able to su to other normal users ..
auth required /lib/security/$ISA/pam_wheel.so use_uid target_uid=0
This is a known deficiency of pam_wheel in PAM <= 0.77, it was fixed in PAM-0.78
upstream. The option is "root_only" and it is without UID parameter.
If adding this feature request will be acked by PM I will rather backport the
"root_only" patch so we will be compatible with future RHEL releases.
This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.
With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.
1. Wiht PAM = 0.99 , I am using root_only in pam_wheel module from /etc/pam.d/su. That worked. fine in restricting su to root access to group wheel, and still allowing
non wheel group users to do su to other accounts.
However I thought your solution is better , because target_uid option gives the ability to to restrict , a given group to SU to a specified target_uid account.
So would like to try it . But your bug fix doesnt have the procedure to install the fix. can you send any updated on how to install the fix.
thanks & regards