Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161579 - pam_wheel restricts "su - otheruser" for users of non wheel group
Summary: pam_wheel restricts "su - otheruser" for users of non wheel group
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-24 16:30 UTC by Mustafa Mahudhawala
Modified: 2015-01-08 00:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2005-09-08 17:21:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch to provide additional target_uid option to pam_wheel (deleted)
2005-06-24 16:33 UTC, Mustafa Mahudhawala
no flags Details | Diff

Description Mustafa Mahudhawala 2005-06-24 16:30:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
Though the README for pam_wheel says it restricts only root authentication for users other than members of group wheel, in practice it restricts authentication for any other user as well, eg.

When you enable pam_wheel for su, using ..

auth       required     /lib/security/$ISA/ debug use_uid

in /etc/pam.d/su

Users not in wheel group, cannot do a "su - otheruser" also, whereas they should only be restricted from "su -" or "su - root"

Many times the requirement is for restricting only root access via su for selected members, where as other users should be able to change to non root users using "su - otheruser"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
As in Description.

Actual Results:  su - otheruser fails.

Expected Results:  should succeed.

Additional info:

However, correcting this could have security implications for existing pam_wheel users who rely on this incorrect pam_wheel behaviour. Hence suggest having an additional option for pam_wheel.

Comment 1 Mustafa Mahudhawala 2005-06-24 16:33:36 UTC
Created attachment 115943 [details]
Patch to provide additional target_uid option to pam_wheel

Comment 2 Mustafa Mahudhawala 2005-06-24 16:37:35 UTC
Attached above is a patch I wrote for pam_wheel (against pam-0.77-66.5) that
provides for an additional parameter "target_uid" using which the pam_wheel
restrictions on the group of the user invoking the pam authentication service is
applicable only if the target uid matches the uid specified by target_uid parameter.

Without this option, pam_wheel works like before.

Comment 3 Mustafa Mahudhawala 2005-06-24 16:39:46 UTC
eg. where you want to be able to allow only certain users to be able to su to
root, but all users to be able to su to other normal users ..

auth       required     /lib/security/$ISA/ use_uid target_uid=0 

in /etc/pam.d/su

Comment 4 Tomas Mraz 2005-06-26 13:36:34 UTC
This is a known deficiency of pam_wheel in PAM <= 0.77, it was fixed in PAM-0.78
upstream. The option is "root_only" and it is without UID parameter.

If adding this feature request will be acked by PM I will rather backport the
"root_only" patch so we will be compatible with future RHEL releases.

Comment 5 Tomas Mraz 2005-09-08 17:21:24 UTC
This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.

Comment 6 slakshmanarao 2009-05-26 20:00:26 UTC

1. Wiht PAM  = 0.99 , I am using root_only in pam_wheel module from /etc/pam.d/su.  That worked. fine in restricting su to root access to group wheel, and still allowing 
   non wheel group users to do su to other accounts.
However I thought your solution is better , because target_uid option gives the ability to to restrict , a given group to SU to a specified target_uid account.
So  would like to try it . But your bug fix doesnt have the procedure to install the fix. can you send any updated on how to install the fix.

thanks & regards

Note You need to log in before you can comment on or make changes to this bug.