Bug 161579 - pam_wheel restricts "su - otheruser" for users of non wheel group
pam_wheel restricts "su - otheruser" for users of non wheel group
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-06-24 12:30 EDT by Mustafa Mahudhawala
Modified: 2015-01-07 19:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-08 13:21:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to provide additional target_uid option to pam_wheel (2.92 KB, patch)
2005-06-24 12:33 EDT, Mustafa Mahudhawala
no flags Details | Diff

  None (edit)
Description Mustafa Mahudhawala 2005-06-24 12:30:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
Though the README for pam_wheel says it restricts only root authentication for users other than members of group wheel, in practice it restricts authentication for any other user as well, eg.

When you enable pam_wheel for su, using ..

auth       required     /lib/security/$ISA/pam_wheel.so debug use_uid

in /etc/pam.d/su

Users not in wheel group, cannot do a "su - otheruser" also, whereas they should only be restricted from "su -" or "su - root"

Many times the requirement is for restricting only root access via su for selected members, where as other users should be able to change to non root users using "su - otheruser"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
As in Description.

Actual Results:  su - otheruser fails.

Expected Results:  should succeed.

Additional info:

However, correcting this could have security implications for existing pam_wheel users who rely on this incorrect pam_wheel behaviour. Hence suggest having an additional option for pam_wheel.
Comment 1 Mustafa Mahudhawala 2005-06-24 12:33:36 EDT
Created attachment 115943 [details]
Patch to provide additional target_uid option to pam_wheel
Comment 2 Mustafa Mahudhawala 2005-06-24 12:37:35 EDT
Attached above is a patch I wrote for pam_wheel (against pam-0.77-66.5) that
provides for an additional parameter "target_uid" using which the pam_wheel
restrictions on the group of the user invoking the pam authentication service is
applicable only if the target uid matches the uid specified by target_uid parameter.

Without this option, pam_wheel works like before.
Comment 3 Mustafa Mahudhawala 2005-06-24 12:39:46 EDT
eg. where you want to be able to allow only certain users to be able to su to
root, but all users to be able to su to other normal users ..

auth       required     /lib/security/$ISA/pam_wheel.so use_uid target_uid=0 

in /etc/pam.d/su
Comment 4 Tomas Mraz 2005-06-26 09:36:34 EDT
This is a known deficiency of pam_wheel in PAM <= 0.77, it was fixed in PAM-0.78
upstream. The option is "root_only" and it is without UID parameter.

If adding this feature request will be acked by PM I will rather backport the
"root_only" patch so we will be compatible with future RHEL releases.
Comment 5 Tomas Mraz 2005-09-08 13:21:24 EDT
This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.
Comment 6 slakshmanarao 2009-05-26 16:00:26 EDT

1. Wiht PAM  = 0.99 , I am using root_only in pam_wheel module from /etc/pam.d/su.  That worked. fine in restricting su to root access to group wheel, and still allowing 
   non wheel group users to do su to other accounts.
However I thought your solution is better , because target_uid option gives the ability to to restrict , a given group to SU to a specified target_uid account.
So  would like to try it . But your bug fix doesnt have the procedure to install the fix. can you send any updated on how to install the fix.

thanks & regards

Note You need to log in before you can comment on or make changes to this bug.