Red Hat Bugzilla – Bug 73351
pam_wheel restricts access to ALL accounts, not just root
Last modified: 2015-01-07 19:00:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724
Description of problem:
According to the documentation, pam_wheel only permits root access to members of
the wheel group. The implementation, however, restricts access to ANY other
user to members of the wheel group.
Version-Release number of selected component (if applicable): 0.75-40
Steps to Reproduce:
1.Add this line to /etc/pam.d/su if not already there
auth required /lib/security/pam_wheel.so use_uid
2.Do "su" from one ordinary user to another
Actual Results: The access is denied.
Expected Results: The access should be allowed.
I ASSUME it is the documentation which is the intended behaviour. That's how
it's done on other systems.
There is a code section in pam_wheel.c with a header comment "su to a uid 0
account ?". I get the impression that this is where this part of the logic
should be. But the return value in that test is never used, except for testing
the existence of the account.
I enclose a suggested patch.
Created attachment 74665 [details]
Suggested patch to fix this problem.
I'll implement this in upstream PAM, but I'll add an root_only option
to the module to enable this functionality so it doesn't change for
existing users of PAM.
Fixed in upstream CVS.
I've just run into this problem on RHEL4. Does this means it was fixed after
RHEL4 freeze (and will appear in one of future updates)? What is the minimum
version of pam package that has this fix incorporated?