Re: Follow-up Re: su: user->root ok, user1->user2 ok, root->user NOK

[Andreas Hasenack <andreas conectiva com br>]

Em Fri, Jan 04, 2002 at 01:19:43PM -0500, Swanson, Bryan escreveu:
> note the use of pam_rootok to prevent root from having to supply
> a user's password ... also non-wheel members can't su to uid 0

I tried pam_rootok but it had no effect. Actually, su returns from
the password check routine if uid=0, so it's as if pam_rootok were
there.

I even tried using only pam_permit.so in /etc/pam.d/su, for all
classes, and still couldn't make root su to somebody else (regular 
users could su to anybody without passwords as expected from this 
change, though).

Using your /etc/pam.d/su file also didn't make it work.

Applying the following patch from RH (one of those 50) worked for me. If
this is correct, I suppose it would be nice to have someone more
familiar with pam development to take a look at the other 49 patches
and see if there are any more things that could be added to the official
linux-pam tree.

------------------------------------------------------------------------------
If the application wants to close a session it hasn't opened, we shouldn't fail
outright, but return the result of running the stack.
--- Linux-PAM-0.75/libpam/pam_dispatch.c
+++ Linux-PAM-0.75/libpam/pam_dispatch.c
@@ -99,10 +99,14 @@
            return retval;
        }

+       cached_retval = -1;
+
        if (use_cached_chain) {
            /* a former stack execution has frozen the chain */
            cached_retval = *(h->cached_retval_p);
-       } else {
+       }
+
+       if (cached_retval == -1) {
            /* this stack execution is defining the frozen chain */
            cached_retval = h->cached_retval = retval;
        }