diff options
| author | Tomas Mraz <tm@t8m.info> | 2004-11-11 13:04:55 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2004-11-11 13:04:55 +0000 |
| commit | 0185894c8971caf571087ff5ef9b022968544a39 (patch) | |
| tree | faf19cc5357697490af3ee7a1ad88158aad4a22f /modules/pam_wheel | |
| parent | 72850b3a5fd87662a18189b3f998b68bb1ce68fe (diff) | |
| download | pam-0185894c8971caf571087ff5ef9b022968544a39.tar.gz pam-0185894c8971caf571087ff5ef9b022968544a39.tar.bz2 pam-0185894c8971caf571087ff5ef9b022968544a39.zip | |
Relevant BUGIDs: Red Hat bz 73351
Purpose of commit: new feature
Commit summary:
---------------
Add only_root option to pam_wheel to make it affect
only authentication to root account.
Diffstat (limited to 'modules/pam_wheel')
| -rw-r--r-- | modules/pam_wheel/README | 17 | ||||
| -rw-r--r-- | modules/pam_wheel/pam_wheel.c | 14 |
2 files changed, 21 insertions, 10 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index b75689e8..2cd156c0 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -3,15 +3,15 @@ pam_wheel: only permit root authentication to members of wheel group RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or + debug Write a message to syslog indicating success or failure. - use_uid the check for wheel membership will be done against + use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to - another for example) - - trust the pam_wheel module will return PAM_SUCCESS instead + another for example). + + trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without @@ -25,8 +25,11 @@ RECOGNIZED ARGUMENTS: PAM_IGNORE (unless 'trust' was also specified, in which case we return PAM_SUCCESS). - group=xxxx Instead of checking the GID 0 group, use the xxxx - group to perform the authentification. + group=xxxx Instead of checking the wheel or GID 0 groups, use + the xxxx group to perform the authentification. + + root_only The check for wheel membership is done only + if the uid of requested account is 0. MODULE SERVICES PROVIDED: auth _authentication, _setcred (blank) and _acct_mgmt diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 8cd8eb31..92cd44b9 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -75,7 +75,8 @@ static int is_on_list(char * const *list, const char *member) #define PAM_DEBUG_ARG 0x0001 #define PAM_USE_UID_ARG 0x0002 #define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_DENY_ARG 0x0010 +#define PAM_ROOT_ONLY_ARG 0x0020 static int _pam_parse(int argc, const char **argv, char *use_group, size_t group_length) @@ -97,6 +98,8 @@ static int _pam_parse(int argc, const char **argv, char *use_group, ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) ctrl |= PAM_DENY_ARG; + else if (!strcmp(*argv,"root_only")) + ctrl |= PAM_ROOT_ONLY_ARG; else if (!strncmp(*argv,"group=",6)) strncpy(use_group,*argv+6,group_length-1); else { @@ -124,14 +127,19 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl, return PAM_SERVICE_ERR; } - /* su to a uid 0 account ? */ pwd = _pammodutil_getpwnam (pamh, username); if (!pwd) { if (ctrl & PAM_DEBUG_ARG) { _pam_log(LOG_NOTICE,"unknown user %s",username); - } + } return PAM_USER_UNKNOWN; } + if (ctrl & PAM_ROOT_ONLY_ARG) { + /* su to a non uid 0 account ? */ + if (pwd->pw_uid != 0) { + return PAM_IGNORE; + } + } if (ctrl & PAM_USE_UID_ARG) { tpwd = _pammodutil_getpwuid (pamh, getuid()); |