The PAM patch to su is flawed; it makes no sense to insist that stdin be a
tty if the user's PAM-authorised. Here's the offending code:
+#ifdef USE_PAM
+ /* root always succeeds; this isn't an authentication question (no
+ * extra privs are being granted) so it shouldn't authenticate with PAM.
+ * However, we want to create the pam_handle so that proper credentials
+ * are created later with pam_setcred(). */
+ retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
+ PAM_BAIL_P;
+ if (getuid () == 0)
+ return 1;
+
+ if (!isatty(0)) {
+ fprintf(stderr, "standard in must be a tty\n");
+ exit(1);
+ }
+
+
+ retval = pam_authenticate(pamh, 0);
+ PAM_BAIL_P;
+ retval = pam_acct_mgmt(pamh, 0);
+ if (retval == PAM_NEW_AUTHTOK_REQD) {
+ /* password has expired. Offer option to change it. */
+ retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ PAM_BAIL_P;
+ }
+ PAM_BAIL_P;
+ /* must be authenticated if this point was reached */
+ return 1;
+#else /* !USE_PAM */
The version number (su --version) should also reflect this NOT the
unmodified FSF version.
If it is important to insist that stdin is a tty, then it should be done
in one place: PAM. I suggest that it should be configurable - don't tell
users how to use their system, instead provide tools and advice.
--
Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.
--
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
