I'm having trouble with pam_wheel... i'm trying to put a su with no password for a specific user in wheel group. for this, i added : auth required /lib/security/pam_wheel.so group=wheel auth sufficient /lib/security/pam_wheel.so trust to /etc/pam.d/su as soon as i activate the first line, i get a segfault. I compiled with i686 default optimizations, gcc 2.95 ...
I get the same .. will look into it.
Ok, seems pam_wheel.so do not like it when it do not have the "use_uid" argument. I am not sure if this bug is a known one .. ill try to find out. It works fine this side, when my /etc/pam.d/su looks like: -----------------------------cut---------------------------------- #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so auth sufficient /lib/security/pam_wheel.so use_uid trust group=wheel auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so -----------------------------cut---------------------------------- For your setup, I guess the following should work: -----------------------------cut---------------------------------- auth required /lib/security/pam_wheel.so use_uid group=wheel auth sufficient /lib/security/pam_wheel.so use_uid trust -----------------------------cut----------------------------------
yes it works ok for me too. it seems logical from the docs, but isn't required in debian (for instance, this is were I was taking my setup from). Maybe they patched something... they're using pam 0.72
If possible, grab all pam_wheel patches they use, and mail me.
OK, got it. Dont know how, but that patches you send triggered it I guess ;) I am not going to make a new revision now, but wait a bit, emerge rsync, and check if pam-0.75-r7 have the ${P}-pam_wheel-segfault.patch patch in src_unpack(). Then merge, and try with your original config. Problem it seems, is that they used "fromsu" in ${S}/modules/pam_wheel/pam_wheel.c without checking that it contained a valid pointer (this is when "use_uid" is NOT given as parameter to pam_wheel.so). I fixed it by checking if it is valid, and if not, act as if "use_uid" as given as argument to pam_wheel.so.
Created attachment 2696 [details, diff] pam-0.75-pam_wheel-segfault.patch This one goes in after all the patches from pam-0.75-21mdk.src.rpm. What do bug me, is that the call fails in the first place .. is it a problem with Gentoo? Didnt Redhat/Mandrake notice it yet?
as far as I know, Mandrake and RedHat do not have the same restriction on su as we do. In other words, users are not required to be a part of the wheel group. Here is what one Mandrake user (and Gentoo user :) had to say: <c0ns0le-hm> grep -n wheel /etc/groups <c0ns0le-hm> grep -n wheel /etc/group 38:wheel:x:10:root,c0ns0le <c0ns0le-hm> grep -n wheel /etc/pam.d/su 3:# Uncomment the following line to implicitly trust users in the "wheel" group. <c0ns0le-hm> 4:auth sufficient /lib/security/pam_wheel.so trust use_uid <c0ns0le-hm> 5:# Uncomment the following line to require a user to be in the "wheel" group. <c0ns0le-hm> 6:#auth required /lib/security/pam_wheel.so use_uid <c0ns0le-hm> no seggz
Seems Mandrake just work "around" the problem. Marc Cousin: If this is fixed for you, can you please close this bug ?
