Relevant BUGIDs: Red Hat bz 73351

Purpose of commit: new feature

Commit summary:
---------------
Add only_root option to pam_wheel to make it affect
only authentication to root account.

diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index b75689e8f3faeb2affbc6921e233db449398034d..2cd156c03ff6f10312bad9d5c5bf5f5453aec4bb 100644 (file)
--- a/modules/pam_wheel/README
+++ b/modules/pam_wheel/README
@@ -3,15 +3,15 @@ pam_wheel:
        only permit root authentication to members of wheel group
 
 RECOGNIZED ARGUMENTS:
-       debug           write a message to syslog indicating success or
+       debug           Write a message to syslog indicating success or
                        failure.
 
-       use_uid         the check for wheel membership will be done against
+       use_uid         The check for wheel membership will be done against
                        the current uid instead of the original one
                        (useful when jumping with su from one account to
-                       another for example)
-
-       trust           the pam_wheel module will return PAM_SUCCESS instead
+                       another for example).
+                       
+       trust           The pam_wheel module will return PAM_SUCCESS instead
                        of PAM_IGNORE if the user is a member of the wheel
                        group (thus with a little play stacking the modules
                        the wheel members may be able to su to root without
@@ -25,8 +25,11 @@ RECOGNIZED ARGUMENTS:
                         PAM_IGNORE (unless 'trust' was also specified, in
                         which case we return PAM_SUCCESS).
 
-       group=xxxx      Instead of checking the GID 0 group, use the xxxx
-                       group to perform the authentification.
+       group=xxxx      Instead of checking the wheel or GID 0 groups, use
+                       the xxxx group to perform the authentification.
+
+       root_only       The check for wheel membership is done only
+                       if the uid of requested account is 0.
 
 MODULE SERVICES PROVIDED:
        auth            _authentication, _setcred (blank) and _acct_mgmt

diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index 8cd8eb3135a33f9fad4cc378b5dddd832c7ba413..92cd44b94031392ec6d77dfc79227cffea3e7ccb 100644 (file)
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -75,7 +75,8 @@ static int is_on_list(char * const *list, const char *member)
 #define PAM_DEBUG_ARG       0x0001
 #define PAM_USE_UID_ARG     0x0002
 #define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010  
+#define PAM_DENY_ARG        0x0010
+#define PAM_ROOT_ONLY_ARG   0x0020
 
 static int _pam_parse(int argc, const char **argv, char *use_group,
                      size_t group_length)
@@ -97,6 +98,8 @@ static int _pam_parse(int argc, const char **argv, char *use_group,
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
                ctrl |= PAM_DENY_ARG;
+          else if (!strcmp(*argv,"root_only"))
+               ctrl |= PAM_ROOT_ONLY_ARG;
           else if (!strncmp(*argv,"group=",6))
               strncpy(use_group,*argv+6,group_length-1);
           else {
@@ -124,14 +127,19 @@ static int perform_check(pam_handle_t *pamh, int flags, int ctrl,
         return PAM_SERVICE_ERR;
     }
 
-    /* su to a uid 0 account ? */
     pwd = _pammodutil_getpwnam (pamh, username);
     if (!pwd) {
         if (ctrl & PAM_DEBUG_ARG) {
             _pam_log(LOG_NOTICE,"unknown user %s",username);
-       }
+        }
         return PAM_USER_UNKNOWN;
     }
+    if (ctrl & PAM_ROOT_ONLY_ARG) {
+       /* su to a non uid 0 account ? */
+        if (pwd->pw_uid != 0) {
+            return PAM_IGNORE;
+        }
+    }
      
     if (ctrl & PAM_USE_UID_ARG) {
        tpwd = _pammodutil_getpwuid (pamh, getuid());