0.77: please submit patches for this section with actual code/doc
patches!
+* pam_wheel was too aggressive to grant access (in the case of the
+ 'deny' option you want to pay attention to 'trust'). Fix from
+ Nalin (Bugs 476951, 476953 - agmorgan)
* account management support for: pam_shells, pam_listfile, pam_wheel
and pam_securetty (+ static module fix for pam_nologin). Patch from
- redhat through Harrold Welte (Bug 436435 - agmorgan).
+ redhat through Harald Welte (Bug 436435 - agmorgan).
* pam_wheel feature from Nalin - can use the module to provide wheel
access to non-root accounts. Also from Nalin, a bugfix related to
the primary group of the applicant is the 'wheel' group. (Bugs
Author.
<tag><bf>Management groups provided:</bf></tag>
-authentication
+authentication; account
<tag><bf>Cryptographically sensitive:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
<tag><bf>System dependencies:</bf></tag>
-Requires libpwdb.
<tag><bf>Network aware:</bf></tag>
<p>
Only permit root access to members of the wheel (<tt/gid=0/) group.
-<sect2>Authentication component
+<sect2>Authentication and Account components
<p>
<descrip>
<tag><bf>Description:</bf></tag>
-This module is used to enforce the so-called <em/wheel/ group. By
+This module is used to enforce the so-called <em/wheel/ group. By
default, it permits root access to the system if the applicant user is
a member of the <tt/wheel/ group (first, the module checks for the
existence of a '<tt/wheel/' group. Otherwise the module defines the
group with group-id <tt/0/ to be the <em/wheel/ group).
+<p>
+The module can be used as either an '<tt/auth/' or an '<tt/account/'
+module.
+
<p>
The action of the module may be modified from this default by one or
more of the following flags in the <tt>/etc/pam.conf</tt> file.
<item>
<tt/deny/ -
-This is used to reverse the logic of the module's behavior.
-If the user is trying to get <tt/uid=0/ access and is a member of the wheel
+This is used to reverse the logic of the module's behavior. If the
+user is trying to get <tt/uid=0/ access and is a member of the wheel
group, deny access (for the wheel group, this is perhaps nonsense!):
it is intended for use in conjunction with the <tt/group=/ argument...
+Conversely, if the user is not in the group, return <tt/PAM_IGNORE/
+(unless <tt/trust/ was also specified, in which case we return
+<tt/PAM_SUCCESS/).
<item>
<tt/group=XXXX/ -
#
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
-su auth required pam_unix_auth.so
+su auth required pam_unix.so
</verb>
</tscreen>
pam_wheel:
- only permit root authentication too members of wheel group
+ only permit root authentication to members of wheel group
RECOGNIZED ARGUMENTS:
debug write a message to syslog indicating success or
is trying to get UID 0 access and is a member of the
wheel group, deny access (well, kind of nonsense, but
for use in conjunction with 'group' argument... :-)
+ Conversely, if the user is not in the group, return
+ PAM_IGNORE (unless 'trust' was also specified, in
+ which case we return PAM_SUCCESS).
group=xxxx Instead of checking the GID 0 group, use the xxxx
group to perform the authentification.
MODULE SERVICES PROVIDED:
- auth _authetication and _setcred (blank)
+ auth _authentication, _setcred (blank) and _acct_mgmt
AUTHOR:
- Cristian Gafton <gafton@sorosis.ro>
+ Cristian Gafton <gafton@redhat.com>
if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'",
- (ctrl & PAM_DENY_ARG)?"denied":"granted",
- fromsu,username);
+ if (ctrl & PAM_DENY_ARG) {
+ retval = PAM_PERM_DENIED;
+
+ } else if (ctrl & PAM_TRUST_ARG) {
+ retval = PAM_SUCCESS; /* this can be a sufficient check */
+
+ } else {
+ retval = PAM_IGNORE;
}
+ } else {
+
if (ctrl & PAM_DENY_ARG) {
- return PAM_PERM_DENIED;
- } else {
+
if (ctrl & PAM_TRUST_ARG) {
- return PAM_SUCCESS; /* this can be a sufficient check */
+ retval = PAM_SUCCESS; /* this can be a sufficient check */
} else {
- return PAM_IGNORE;
+ retval = PAM_IGNORE;
}
+
+ } else {
+ retval = PAM_PERM_DENIED;
}
}
if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'",
- (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username);
+ if (retval == PAM_IGNORE) {
+ _pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'",
+ fromsu, username);
+ } else {
+ _pam_log(LOG_NOTICE, "Access %s to '%s' for '%s'",
+ (retval != PAM_SUCCESS) ? "denied":"granted",
+ fromsu, username);
+ }
}
- if (ctrl & PAM_DENY_ARG) {
- return PAM_SUCCESS; /* this can be a sufficient check */
- } else {
- return PAM_PERM_DENIED;
- }
+ return retval;
}
/* --- authentication management functions --- */