GNU bug report logs - #26827
[PATCH] system: Allow root to run "su" without password.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#26827: closed ([PATCH] system: Allow root to run "su" without
 password.)
Date: Mon, 08 May 2017 21:09:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Mon, 08 May 2017 23:08:35 +0200
with message-id <871srzjbu4.fsf <at> elephly.net>
and subject line Re: bug#26827: [PATCH] system: Allow root to run "su" without password.
has caused the debbugs.gnu.org bug report #26827,
regarding [PATCH] system: Allow root to run "su" without password.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
26827: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=26827
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ricardo Wurmus <rekado <at> elephly.net>
To: guix-patches <at> gnu.org
Cc: Ricardo Wurmus <rekado <at> elephly.net>
Subject: [PATCH] system: Allow root to run "su" without password.
Date: Mon,  8 May 2017 12:52:33 +0200

* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
---
 gnu/system/pam.scm | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a73..eedf93394 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
         (env  (pam-entry ; to honor /etc/environment.
                (control "required")
                (module "pam_env.so"))))
-    (lambda* (name #:key allow-empty-passwords? motd)
+    (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
       "Return a standard Unix-style PAM service for NAME.  When
-ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When MOTD is true, it
-should be a file-like object used as the message-of-the-day."
+ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
+true, allow root to run the command without authentication.  When MOTD is
+true, it should be a file-like object used as the message-of-the-day."
       ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
       (let ((name* name))
         (pam-service
          (name name*)
          (account (list unix))
-         (auth (list (if allow-empty-passwords?
-                         (pam-entry
-                          (control "required")
-                          (module "pam_unix.so")
-                          (arguments '("nullok")))
-                         unix)))
+         (auth (append (if allow-root?
+                           (list (pam-entry
+                                  (control "sufficient")
+                                  (module "pam_rootok.so")))
+                           '())
+                       (list (if allow-empty-passwords?
+                                 (pam-entry
+                                  (control "required")
+                                  (module "pam_unix.so")
+                                  (arguments '("nullok")))
+                                 unix))))
          (password (list (pam-entry
                           (control "required")
                           (module "pam_unix.so")
@@ -256,7 +262,12 @@ authenticate to run COMMAND."
           ;; These programs are setuid-root.
           (map (cut unix-pam-service <>
                     #:allow-empty-passwords? allow-empty-passwords?)
-               '("su" "passwd" "sudo"))
+               '("passwd" "sudo"))
+          ;; This is setuid-root, as well.  Allow root to run "su" without
+          ;; authenticating.
+          (list (unix-pam-service "su"
+                                  #:allow-empty-passwords? allow-empty-passwords?
+                                  #:allow-root? #t))
 
           ;; These programs are not setuid-root, and we want root to be able
           ;; to run them without having to authenticate (notably because
-- 
2.12.2

[Message part 3 (message/rfc822, inline)]

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 26827-done <at> debbugs.gnu.org
Subject: Re: bug#26827: [PATCH] system: Allow root to run "su" without
 password.
Date: Mon, 08 May 2017 23:08:35 +0200

Ludovic Courtès <ludo <at> gnu.org> writes:

> Ricardo Wurmus <rekado <at> elephly.net> skribis:
>
>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>> auth field when ALLOW-ROOT? is #T.
>> (base-pam-services): Allow root to run "su" without authentication.
>
> LGTM, thanks for fixing it!

Thanks for the review!

Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8.  I’m
glad it wasn’t so difficult to fix it.  This annoyed me for a while, but
I never got around to looking a little more closely…

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.