Hi,
just noticed a slight semantic change while using su:
Before pam, you can disable the wheel check if this group is empty.
Now this isn't possible any more.
I know I just could comment out pam_wheel from /etc/pam.conf but what
about the following solution:
Adding another flag for pam_wheel, which reintroduces the old syntax.
It is quite simple and straightforward (see attached patch).
Any comments?
Daniel
Index: pam_wheel.c
===================================================================
RCS file: /data/cvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.5
diff -u -r1.5 pam_wheel.c
--- pam_wheel.c 26 Aug 2001 18:09:00 -0000 1.5
+++ pam_wheel.c 12 Oct 2001 21:41:05 -0000
@@ -42,7 +42,7 @@
#include <pam_mod_misc.h>
enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST,
- PAM_OPT_AUTH_AS_SELF, PAM_OPT_NOROOT_OK };
+ PAM_OPT_AUTH_AS_SELF, PAM_OPT_NOROOT_OK, PAM_OPT_NULL_IGN };
static struct opttab other_options[] = {
{ "deny", PAM_OPT_DENY },
@@ -50,6 +50,7 @@
{ "trust", PAM_OPT_TRUST },
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
{ "noroot_ok", PAM_OPT_NOROOT_OK },
+ { "null_ignore", PAM_OPT_NULL_IGN },
{ NULL, 0 }
};
@@ -127,6 +128,8 @@
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
PAM_RETURN(PAM_IGNORE);
else {
+ if(pam_test_option(&options, PAM_OPT_NULL_IGN, NULL))
+ PAM_RETURN(PAM_IGNORE);
PAM_VERBOSE_ERROR("Permission denied");
PAM_RETURN(PAM_AUTH_ERR);
}
