80345 2005-02-01 07:50 0000 correct use of SU_WHEEL_ONLY in sys-apps/shadow 2005-02-10 13:05:12 0000 1 1 1 Unclassified Gentoo Linux Core system unspecified All All RESOLVED FIXED P2 normal --- 1 greg_g@gentoo.org base-system@gentoo.org radek@podgorny.cz richard.adam@gmail.com greg_g@gentoo.org 2005-02-01 07:50:18 0000 The current ebuilds for shadow apply a pacth (shadow-4.0.5-login.defs.patch) that sets the default value for SU_WHEEL_ONLY to yes. This applies to non-PAM systems, and was intended to match the behaviour of PAM systems, where pam_wheel is enabled by default (that's explained in the handbook, too). However, the result is not the same: the implementation of SU_WHEEL_ONLY in shadow is such that only users in the group with gid=0 can su to root, and not users belonging to the wheel group. I think we should apply the following patch, which changes the behaviour of SU_WHEEL_ONLY to match PAM (and to be consistent with its name). Maybe this should be also submitted upstream? greg_g@gentoo.org 2005-02-01 07:50:58 0000 Created an attachment (id=50134) shadow-4.0.7-wheel.patch vapier@gentoo.org 2005-02-06 15:41:32 0000 added 4.0.7 w/patch & e-mailed patch upstream, thanks greg_g@gentoo.org 2005-02-10 03:16:48 0000 *** Bug 81175 has been marked as a duplicate of this bug. *** richard.adam@gmail.com 2005-02-10 13:05:12 0000 Rather than patching su, how about installing a file /etc/suauth containing the line: root:ALL EXCEPT GROUP wheel:DENY and leaving SU_WHEEL_ONLY as no? See man suauth for details on what this does. 50134 2005-02-01 07:50 0000 shadow-4.0.7-wheel.patch shadow-4.0.7-wheel.patch text/plain ZGlmZiAtdU5yIHNoYWRvdy00LjAuNy5vcmlnL3NyYy9zdS5jIHNoYWRvdy00LjAuNy9zcmMvc3Uu YwotLS0gc2hhZG93LTQuMC43Lm9yaWcvc3JjL3N1LmMJMjAwNS0wMi0wMSAxMjoyMjoxMS41NTM5 NTY4NjQgKzAxMDAKKysrIHNoYWRvdy00LjAuNy9zcmMvc3UuYwkyMDA1LTAyLTAxIDEyOjIyOjMz LjA3NzY4NDc2MCArMDEwMApAQCAtMTExLDcgKzExMSw3IEBACiB7CiAJc3RydWN0IGdyb3VwICpn cnA7CiAKLQlncnAgPSBnZXRncmdpZCAoMCk7CisJZ3JwID0gZ2V0Z3JuYW0gKCJ3aGVlbCIpOwog CWlmICghZ3JwIHx8ICFncnAtPmdyX21lbSkKIAkJcmV0dXJuIDA7CiAJcmV0dXJuIGlzX29uX2xp c3QgKGdycC0+Z3JfbWVtLCB1c2VybmFtZSk7Cg==