Bug 73351 - pam_wheel restricts access to ALL accounts, not just root
Summary: pam_wheel restricts access to ALL accounts, not just root
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
(Show other bugs)
Version: 8.0
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-09-03 11:22 UTC by Göran Uddeborg
Modified: 2015-01-08 00:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-11 13:01:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Suggested patch to fix this problem. (508 bytes, patch)
2002-09-03 11:23 UTC, Göran Uddeborg
no flags Details | Diff

Description Göran Uddeborg 2002-09-03 11:22:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724

Description of problem:
According to the documentation, pam_wheel only permits root access to members of
the wheel group.  The implementation, however, restricts access to ANY other
user to members of the wheel group.

Version-Release number of selected component (if applicable): 0.75-40


How reproducible:
Always

Steps to Reproduce:
1.Add this line to /etc/pam.d/su if not already there
auth       required     /lib/security/pam_wheel.so use_uid
2.Do "su" from one ordinary user to another


Actual Results:  The access is denied.

Expected Results:  The access should be allowed.

Additional info:

I ASSUME it is the documentation which is the intended behaviour.  That's how
it's done on other systems.

There is a code section in pam_wheel.c with a header comment "su to a uid 0
account ?".  I get the impression that this is where this part of the logic
should be.  But the return value in that test is never used, except for testing
the existence of the account.

I enclose a suggested patch.

Comment 1 Göran Uddeborg 2002-09-03 11:23:29 UTC
Created attachment 74665 [details]
Suggested patch to fix this problem.

Comment 2 Tomas Mraz 2004-11-10 13:59:36 UTC
I'll implement this in upstream PAM, but I'll add an root_only option
to the module to enable this functionality so it doesn't change for
existing users of PAM.


Comment 3 Tomas Mraz 2004-11-11 13:01:24 UTC
Fixed in upstream CVS.


Comment 4 Aleksandar Milivojevic 2005-06-01 18:24:12 UTC
I've just run into this problem on RHEL4.  Does this means it was fixed after
RHEL4 freeze (and will appear in one of future updates)?  What is the minimum
version of pam package that has this fix incorporated?

Comment 5 Tomas Mraz 2005-06-01 19:43:46 UTC
Linux-PAM-0.78



Note You need to log in before you can comment on or make changes to this bug.