-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam_wheel: introduce auth_self mode #609
base: master
Are you sure you want to change the base?
Conversation
Some Linux vendors use the wheel group to make users in that group authenticate with their own password as root. Ie sudo mode.
else if ((str = pam_str_skip_prefix(*argv, "group=")) != NULL) | ||
strncpy(use_group, str, group_length - 1); | ||
else { | ||
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); | ||
} | ||
} | ||
|
||
if ((ctrl & (PAM_DENY_ARG|PAM_TRUST_ARG)) && (ctrl & PAM_AUTH_SELF)) { | ||
pam_syslog(pamh, LOG_ERR, "can't combine 'auth_self' with 'trust' or 'deny' args %x", ctrl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
%#x
suits best for printing hexadecimals.
if (ctrl & PAM_DEBUG_ARG) { | ||
pam_syslog(pamh, LOG_NOTICE, "changing authentication target to %s", fromsu); | ||
} | ||
if (pam_set_item(pamh, PAM_USER, fromsu) != PAM_SUCCESS) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing PAM_USER
is a big hammer, its effects go far beyond the authentication. In particular, session stack modules would use this new PAM_USER
, for example, pam_loginuid would set loginuid to the caller uid instead of the target uid, pam_limits would apply limits for the caller uid instead of the target uid, and so on. In other words, I don't see how to use this new feature safely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, good point. So that means support for this kind of authentication would have to go directly into pam_unix
Some Linux vendors use the wheel group to make users in that group authenticate with their own password as root. Ie sudo mode.