Re: GNU su and the wheel group

From: jpd (read_the_sig_at_do.not.spam.it)
Date: 09/28/04


Date: Tue, 28 Sep 2004 08:23:32 +0000 (UTC)

On 2004-09-27, Chris Adams <cmadams@hiwaay.net> wrote:
> Once upon a time, jpd <read_the_sig@do.not.spam.it> said:
>>Note that you can re-introduce a crippled version of the wheel
>>restriction through pam. Cripple because, pam_wheel only checks for
>>wheel, it does not check for `destination root', so it breaks _all_
>>suing.
>
> Cite? I've been using pam_wheel for years, and I'm pretty sure it only
> looks at attempts to auth to root by default.

The bunch of people loudly complaining ``it doesn't work''. Altough the
documentation talks about letting /su to root/, there are no options to
change target user, and the code doesn't appear to check for target uid.
This is probably a much more recent version that the versions I've been
using:

  http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_wheel/
  pam_wheel.c?view=markup
(split ulr)

There is a comment ``/* su to a uid 0 account ? */'' but I don't see how
the code below it relates to checking for an actual target uid of 0. The
``pwd'' that is being filled in doesn't appear to be used afterwards.

Admittedly, my knowledge of the inner workings of pam is limited, so I
might easily be mistaken. But if so, I don't see it.

-- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .