Add the "auth_as_self" option to the pam_unix module (there is no

reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).

1 files changed, 8 insertions, 3 deletions

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 329b784..c8ddde7 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -62,12 +62,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	options = 0;
 	for (i = 0;  i < argc;  i++)
 		pam_std_option(&options, argv[i]);
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
-		return retval;
+	if (options & PAM_OPT_AUTH_AS_SELF)
+		pwd = getpwuid(getuid());
+	else {
+		if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+			return retval;
+		pwd = getpwnam(user);
+	}
 	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
 	    options)) != PAM_SUCCESS)
 		return retval;
-	if ((pwd = getpwnam(user)) != NULL) {
+	if (pwd != NULL) {
 		encrypted = crypt(password, pwd->pw_passwd);
 		if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
 			encrypted = ":";