GNU bug report logs -
#26827
[PATCH] system: Allow root to run "su" without password.
Previous Next
Reported by: Ricardo Wurmus <rekado <at> elephly.net>
Date: Mon, 8 May 2017 10:53:02 UTC
Severity: normal
Tags: patch
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26827 in the body.
You can then email your comments to 26827 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#26827; Package
guix-patches.
(Mon, 08 May 2017 10:53:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 08 May 2017 10:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
---
gnu/system/pam.scm | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a73..eedf93394 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? motd)
+ (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
"Return a standard Unix-style PAM service for NAME. When
-ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it
-should be a file-like object used as the message-of-the-day."
+ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
+true, allow root to run the command without authentication. When MOTD is
+true, it should be a file-like object used as the message-of-the-day."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(let ((name* name))
(pam-service
(name name*)
(account (list unix))
- (auth (list (if allow-empty-passwords?
- (pam-entry
- (control "required")
- (module "pam_unix.so")
- (arguments '("nullok")))
- unix)))
+ (auth (append (if allow-root?
+ (list (pam-entry
+ (control "sufficient")
+ (module "pam_rootok.so")))
+ '())
+ (list (if allow-empty-passwords?
+ (pam-entry
+ (control "required")
+ (module "pam_unix.so")
+ (arguments '("nullok")))
+ unix))))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
@@ -256,7 +262,12 @@ authenticate to run COMMAND."
;; These programs are setuid-root.
(map (cut unix-pam-service <>
#:allow-empty-passwords? allow-empty-passwords?)
- '("su" "passwd" "sudo"))
+ '("passwd" "sudo"))
+ ;; This is setuid-root, as well. Allow root to run "su" without
+ ;; authenticating.
+ (list (unix-pam-service "su"
+ #:allow-empty-passwords? allow-empty-passwords?
+ #:allow-root? #t))
;; These programs are not setuid-root, and we want root to be able
;; to run them without having to authenticate (notably because
--
2.12.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#26827; Package
guix-patches.
(Mon, 08 May 2017 14:42:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 26827 <at> debbugs.gnu.org (full text, mbox):
Ricardo Wurmus <rekado <at> elephly.net> skribis:
> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
> auth field when ALLOW-ROOT? is #T.
> (base-pam-services): Allow root to run "su" without authentication.
LGTM, thanks for fixing it!
Ludo'.
Reply sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
You have taken responsibility.
(Mon, 08 May 2017 21:09:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
bug acknowledged by developer.
(Mon, 08 May 2017 21:09:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 26827-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Ricardo Wurmus <rekado <at> elephly.net> skribis:
>
>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>> auth field when ALLOW-ROOT? is #T.
>> (base-pam-services): Allow root to run "su" without authentication.
>
> LGTM, thanks for fixing it!
Thanks for the review!
Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8. I’m
glad it wasn’t so difficult to fix it. This annoyed me for a while, but
I never got around to looking a little more closely…
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded
to
guix-patches <at> gnu.org:
bug#26827; Package
guix-patches.
(Mon, 08 May 2017 21:13:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 26827-done <at> debbugs.gnu.org (full text, mbox):
Ricardo Wurmus <rekado <at> elephly.net> writes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Ricardo Wurmus <rekado <at> elephly.net> skribis:
>>
>>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>>> auth field when ALLOW-ROOT? is #T.
>>> (base-pam-services): Allow root to run "su" without authentication.
>>
>> LGTM, thanks for fixing it!
>
> Thanks for the review!
>
> Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8.
Actually, it was e586257b550918fefaab3970f2c314d6285f54ab. Forgot to
push :)
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 06 Jun 2017 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 12 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.