From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724 Description of problem: According to the documentation, pam_wheel only permits root access to members of the wheel group. The implementation, however, restricts access to ANY other user to members of the wheel group. Version-Release number of selected component (if applicable): 0.75-40 How reproducible: Always Steps to Reproduce: 1.Add this line to /etc/pam.d/su if not already there auth required /lib/security/pam_wheel.so use_uid 2.Do "su" from one ordinary user to another Actual Results: The access is denied. Expected Results: The access should be allowed. Additional info: I ASSUME it is the documentation which is the intended behaviour. That's how it's done on other systems. There is a code section in pam_wheel.c with a header comment "su to a uid 0 account ?". I get the impression that this is where this part of the logic should be. But the return value in that test is never used, except for testing the existence of the account. I enclose a suggested patch.
Created attachment 74665 [details] Suggested patch to fix this problem.
I'll implement this in upstream PAM, but I'll add an root_only option to the module to enable this functionality so it doesn't change for existing users of PAM.
Fixed in upstream CVS.
I've just run into this problem on RHEL4. Does this means it was fixed after RHEL4 freeze (and will appear in one of future updates)? What is the minimum version of pam package that has this fix incorporated?
Linux-PAM-0.78