From unknown Tue Jun 17 20:18:09 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#26827 <26827@debbugs.gnu.org>
To: bug#26827 <26827@debbugs.gnu.org>
Subject: Status: [PATCH] system: Allow root to run "su" without password.
Reply-To: bug#26827 <26827@debbugs.gnu.org>
Date: Wed, 18 Jun 2025 03:18:09 +0000

retitle 26827 [PATCH] system: Allow root to run "su" without password.
reassign 26827 guix-patches
submitter 26827 Ricardo Wurmus <rekado@elephly.net>
severity 26827 normal
tag 26827 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 06:52:57 2017
Received: (at submit) by debbugs.gnu.org; 8 May 2017 10:52:57 +0000
Received: from localhost ([127.0.0.1]:32984 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d7gHd-0007RS-PS
	for submit@debbugs.gnu.org; Mon, 08 May 2017 06:52:57 -0400
Received: from eggs.gnu.org ([208.118.235.92]:49324)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1d7gHb-0007RF-U4
 for submit@debbugs.gnu.org; Mon, 08 May 2017 06:52:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rekado@elephly.net>) id 1d7gHV-0007qo-Pn
 for submit@debbugs.gnu.org; Mon, 08 May 2017 06:52:46 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:48205)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <rekado@elephly.net>) id 1d7gHV-0007qj-N5
 for submit@debbugs.gnu.org; Mon, 08 May 2017 06:52:45 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40265)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <rekado@elephly.net>) id 1d7gHU-0000d1-ET
 for guix-patches@gnu.org; Mon, 08 May 2017 06:52:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rekado@elephly.net>) id 1d7gHR-0007pb-DD
 for guix-patches@gnu.org; Mon, 08 May 2017 06:52:44 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21130)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <rekado@elephly.net>) id 1d7gHR-0007pO-5S
 for guix-patches@gnu.org; Mon, 08 May 2017 06:52:41 -0400
Received: from localhost (141.80.245.82 [141.80.245.82]) by mx.zohomail.com
 with SMTPS id 1494240757051249.05906420218355;
 Mon, 8 May 2017 03:52:37 -0700 (PDT)
From: Ricardo Wurmus <rekado@elephly.net>
To: guix-patches@gnu.org
Subject: [PATCH] system: Allow root to run "su" without password.
Date: Mon,  8 May 2017 12:52:33 +0200
Message-Id: <20170508105233.20667-1-rekado@elephly.net>
X-Mailer: git-send-email 2.12.2
X-ZohoMailClient: External
X-ZohoMail: Z_26063301 SPT_1 Z_26062608 SPT_0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
Cc: Ricardo Wurmus <rekado@elephly.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
---
 gnu/system/pam.scm | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a73..eedf93394 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
         (env  (pam-entry ; to honor /etc/environment.
                (control "required")
                (module "pam_env.so"))))
-    (lambda* (name #:key allow-empty-passwords? motd)
+    (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
       "Return a standard Unix-style PAM service for NAME.  When
-ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When MOTD is true, it
-should be a file-like object used as the message-of-the-day."
+ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
+true, allow root to run the command without authentication.  When MOTD is
+true, it should be a file-like object used as the message-of-the-day."
       ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
       (let ((name* name))
         (pam-service
          (name name*)
          (account (list unix))
-         (auth (list (if allow-empty-passwords?
-                         (pam-entry
-                          (control "required")
-                          (module "pam_unix.so")
-                          (arguments '("nullok")))
-                         unix)))
+         (auth (append (if allow-root?
+                           (list (pam-entry
+                                  (control "sufficient")
+                                  (module "pam_rootok.so")))
+                           '())
+                       (list (if allow-empty-passwords?
+                                 (pam-entry
+                                  (control "required")
+                                  (module "pam_unix.so")
+                                  (arguments '("nullok")))
+                                 unix))))
          (password (list (pam-entry
                           (control "required")
                           (module "pam_unix.so")
@@ -256,7 +262,12 @@ authenticate to run COMMAND."
           ;; These programs are setuid-root.
           (map (cut unix-pam-service <>
                     #:allow-empty-passwords? allow-empty-passwords?)
-               '("su" "passwd" "sudo"))
+               '("passwd" "sudo"))
+          ;; This is setuid-root, as well.  Allow root to run "su" without
+          ;; authenticating.
+          (list (unix-pam-service "su"
+                                  #:allow-empty-passwords? allow-empty-passwords?
+                                  #:allow-root? #t))
 
           ;; These programs are not setuid-root, and we want root to be able
           ;; to run them without having to authenticate (notably because
-- 
2.12.2






From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 10:41:34 2017
Received: (at 26827) by debbugs.gnu.org; 8 May 2017 14:41:34 +0000
Received: from localhost ([127.0.0.1]:34488 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d7jqw-0006VZ-1j
	for submit@debbugs.gnu.org; Mon, 08 May 2017 10:41:34 -0400
Received: from eggs.gnu.org ([208.118.235.92]:47941)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1d7jqu-0006VA-2O
 for 26827@debbugs.gnu.org; Mon, 08 May 2017 10:41:33 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1d7jql-0005Ap-Pm
 for 26827@debbugs.gnu.org; Mon, 08 May 2017 10:41:27 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52865)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1d7jql-0005Ai-Lz; Mon, 08 May 2017 10:41:23 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:57090 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1d7jqk-0007we-W1; Mon, 08 May 2017 10:41:23 -0400
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#26827: [PATCH] system: Allow root to run "su" without
 password.
References: <20170508105233.20667-1-rekado@elephly.net>
Date: Mon, 08 May 2017 16:41:20 +0200
In-Reply-To: <20170508105233.20667-1-rekado@elephly.net> (Ricardo Wurmus's
 message of "Mon, 8 May 2017 12:52:33 +0200")
Message-ID: <87shkfl8bz.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 26827
Cc: 26827@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Ricardo Wurmus <rekado@elephly.net> skribis:

> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
> auth field when ALLOW-ROOT? is #T.
> (base-pam-services): Allow root to run "su" without authentication.

LGTM, thanks for fixing it!

Ludo'.




From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 17:08:42 2017
Received: (at 26827-done) by debbugs.gnu.org; 8 May 2017 21:08:43 +0000
Received: from localhost ([127.0.0.1]:60328 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d7pta-0000RW-Oz
	for submit@debbugs.gnu.org; Mon, 08 May 2017 17:08:42 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21085)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1d7ptZ-0000RO-5N
 for 26827-done@debbugs.gnu.org; Mon, 08 May 2017 17:08:41 -0400
Received: from localhost (port-92-200-17-209.dynamic.qsc.de [92.200.17.209])
 by mx.zohomail.com with SMTPS id 1494277718240443.7006128724082;
 Mon, 8 May 2017 14:08:38 -0700 (PDT)
References: <20170508105233.20667-1-rekado@elephly.net>
 <87shkfl8bz.fsf@gnu.org>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Ricardo Wurmus <rekado@elephly.net>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: bug#26827: [PATCH] system: Allow root to run "su" without
 password.
In-reply-to: <87shkfl8bz.fsf@gnu.org>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Mon, 08 May 2017 23:08:35 +0200
Message-ID: <871srzjbu4.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-ZohoMailClient: External
X-Spam-Score: -1.8 (-)
X-Debbugs-Envelope-To: 26827-done
Cc: 26827-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.8 (-)


Ludovic Courtès <ludo@gnu.org> writes:

> Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>> auth field when ALLOW-ROOT? is #T.
>> (base-pam-services): Allow root to run "su" without authentication.
>
> LGTM, thanks for fixing it!

Thanks for the review!

Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8.  I’m
glad it wasn’t so difficult to fix it.  This annoyed me for a while, but
I never got around to looking a little more closely…

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net





From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 17:12:43 2017
Received: (at 26827-done) by debbugs.gnu.org; 8 May 2017 21:12:43 +0000
Received: from localhost ([127.0.0.1]:60339 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1d7pxT-0000Xm-A3
	for submit@debbugs.gnu.org; Mon, 08 May 2017 17:12:43 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21040)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1d7pxS-0000Xf-6f
 for 26827-done@debbugs.gnu.org; Mon, 08 May 2017 17:12:42 -0400
Received: from localhost (port-92-200-17-209.dynamic.qsc.de [92.200.17.209])
 by mx.zohomail.com with SMTPS id 14942779581664.030522536792887;
 Mon, 8 May 2017 14:12:38 -0700 (PDT)
References: <20170508105233.20667-1-rekado@elephly.net>
 <87shkfl8bz.fsf@gnu.org> <871srzjbu4.fsf@elephly.net>
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Ricardo Wurmus <rekado@elephly.net>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: bug#26827: [PATCH] system: Allow root to run "su" without
 password.
In-reply-to: <871srzjbu4.fsf@elephly.net>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Mon, 08 May 2017 23:12:35 +0200
Message-ID: <87zienhx30.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-ZohoMailClient: External
X-Spam-Score: -1.8 (-)
X-Debbugs-Envelope-To: 26827-done
Cc: 26827-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.8 (-)


Ricardo Wurmus <rekado@elephly.net> writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> skribis:
>>
>>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>>> auth field when ALLOW-ROOT? is #T.
>>> (base-pam-services): Allow root to run "su" without authentication.
>>
>> LGTM, thanks for fixing it!
>
> Thanks for the review!
>
> Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8.

Actually, it was e586257b550918fefaab3970f2c314d6285f54ab.  Forgot to
push :)

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net





From unknown Tue Jun 17 20:18:09 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 06 Jun 2017 11:24:05 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator