Gentoo Bug 80345 - correct use of SU_WHEEL_ONLY in sys-apps/shadow

First Last Prev Next No search results available Search page Enter new bug

Bug#:	80345
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo's Team for Core System packages <base-system@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Gregorio Guidi (RETIRED) <greg_g@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Filename	Description	Type	Creator	Created	Size	Actions
shadow-4.0.7-wheel.patch	shadow-4.0.7-wheel.patch	patch	Gregorio Guidi (RETIRED)	2005-02-01 07:50 0000	370 bytes	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 80345 depends on:			Show dependency tree
Bug 80345 blocks:			Show dependency tree

Votes:	0 Show votes for this bug Vote for this bug

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-02-01 07:50 0000

The current ebuilds for shadow apply a pacth (shadow-4.0.5-login.defs.patch)
that sets the default value for SU_WHEEL_ONLY to yes.
This applies to non-PAM systems, and was intended to match the
behaviour of PAM systems, where pam_wheel is enabled by default (that's 
explained in the handbook, too).

However, the result is not the same: the implementation of SU_WHEEL_ONLY in
shadow is such that only users in the group with gid=0 can su to root, and
not users belonging to the wheel group.

I think we should apply the following patch, which changes the behaviour of
SU_WHEEL_ONLY to match PAM (and to be consistent with its name).

Maybe this should be also submitted upstream?

------- Comment #1 From Gregorio Guidi (RETIRED) 2005-02-01 07:50:58 0000 -------

Created an attachment (id=50134) [details]
shadow-4.0.7-wheel.patch

------- Comment #2 From SpanKY 2005-02-06 15:41:32 0000 -------

added 4.0.7 w/patch & e-mailed patch upstream, thanks

------- Comment #3 From Gregorio Guidi (RETIRED) 2005-02-10 03:16:48 0000 -------

*** Bug 81175 has been marked as a duplicate of this bug. ***

------- Comment #4 From Adam 2005-02-10 13:05:12 0000 -------

Rather than patching su, how about installing a file /etc/suauth containing the
line:
root:ALL EXCEPT GROUP wheel:DENY
and leaving SU_WHEEL_ONLY as no?

See man suauth for details on what this does.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 80345

correct use of SU_WHEEL_ONLY in sys-apps/shadow

Last modified: 2005-02-10 13:05:12 0000