Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 73351 - pam_wheel restricts access to ALL accounts, not just root
pam_wheel restricts access to ALL accounts, not just root
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2002-09-03 07:22 EDT by Göran Uddeborg
Modified: 2015-01-07 19:00 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-11 08:01:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Suggested patch to fix this problem. (508 bytes, patch)
2002-09-03 07:23 EDT, Göran Uddeborg
no flags Details | Diff

  None (edit)
Description Göran Uddeborg 2002-09-03 07:22:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724

Description of problem:
According to the documentation, pam_wheel only permits root access to members of
the wheel group.  The implementation, however, restricts access to ANY other
user to members of the wheel group.

Version-Release number of selected component (if applicable): 0.75-40

How reproducible:

Steps to Reproduce:
1.Add this line to /etc/pam.d/su if not already there
auth       required     /lib/security/pam_wheel.so use_uid
2.Do "su" from one ordinary user to another

Actual Results:  The access is denied.

Expected Results:  The access should be allowed.

Additional info:

I ASSUME it is the documentation which is the intended behaviour.  That's how
it's done on other systems.

There is a code section in pam_wheel.c with a header comment "su to a uid 0
account ?".  I get the impression that this is where this part of the logic
should be.  But the return value in that test is never used, except for testing
the existence of the account.

I enclose a suggested patch.
Comment 1 Göran Uddeborg 2002-09-03 07:23:29 EDT
Created attachment 74665 [details]
Suggested patch to fix this problem.
Comment 2 Tomas Mraz 2004-11-10 08:59:36 EST
I'll implement this in upstream PAM, but I'll add an root_only option
to the module to enable this functionality so it doesn't change for
existing users of PAM.
Comment 3 Tomas Mraz 2004-11-11 08:01:24 EST
Fixed in upstream CVS.
Comment 4 Aleksandar Milivojevic 2005-06-01 14:24:12 EDT
I've just run into this problem on RHEL4.  Does this means it was fixed after
RHEL4 freeze (and will appear in one of future updates)?  What is the minimum
version of pam package that has this fix incorporated?
Comment 5 Tomas Mraz 2005-06-01 15:43:46 EDT

Note You need to log in before you can comment on or make changes to this bug.