diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-18 02:37:29 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-18 02:37:29 +0000 |
| commit | 8601e0f6808226151130944863c90aa191ccc482 (patch) | |
| tree | 04bf05c1779855face01145ba61bd75136b84075 /lib | |
| parent | 71c09f6a0abcd4ce5676d7499eab0ae652b3440c (diff) | |
| download | FreeBSD-src-8601e0f6808226151130944863c90aa191ccc482.zip FreeBSD-src-8601e0f6808226151130944863c90aa191ccc482.tar.gz | |
Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the
group membership requirement if the group has no explicit members listed
in /etc/group. By default, this group is the wheel group; setting this
flag restores the default BSD behavior from 4.x.
Reviewed by: markm
Requested by: various
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.8 | 10 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_wheel/pam_wheel.c | 10 |
2 files changed, 18 insertions, 2 deletions
diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.8 b/lib/libpam/modules/pam_wheel/pam_wheel.8 index bd412c8..e564e6e 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.8 +++ b/lib/libpam/modules/pam_wheel/pam_wheel.8 @@ -55,7 +55,7 @@ which defaults to .Dq Li wheel . .Pp The following options may be passed to the authentication module: -.Bl -tag -width ".Cm auth_as_self" +.Bl -tag -width ".Cm exempt_if_empty" .It Cm debug .Xr syslog 3 debugging information at @@ -103,6 +103,14 @@ instead of if the user is authenticating to a user that is not the superuser. +.It Cm exempt_if_empty +return +.Dv PAM_IGNORE +if the specified group (default group of +.Dq Li wheel ) +is empty, providing traditional BSD +.Xr su 8 +semantics permitting any user to su if the wheel group is empty. .El .Sh SEE ALSO .Xr getlogin 2 , diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c index b4137ae..3169822 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.c +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -59,7 +59,8 @@ enum { PAM_OPT_GROUP, PAM_OPT_TRUST, PAM_OPT_AUTH_AS_SELF, - PAM_OPT_NOROOT_OK + PAM_OPT_NOROOT_OK, + PAM_OPT_EXEMPT_IF_EMPTY }; static struct opttab other_options[] = { @@ -68,6 +69,7 @@ static struct opttab other_options[] = { { "trust", PAM_OPT_TRUST }, { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, { "noroot_ok", PAM_OPT_NOROOT_OK }, + { "exempt_if_empty", PAM_OPT_EXEMPT_IF_EMPTY }, { NULL, 0 } }; @@ -153,6 +155,12 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, PAM_LOG("Got group: %s", grp->gr_name); + /* If the group is empty, see if we exempt empty groups. */ + if (*(grp->gr_mem) == NULL) { + if (pam_test_option(&options, PAM_OPT_EXEMPT_IF_EMPTY, NULL)) + return (PAM_IGNORE); + } + if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) { if (pam_test_option(&options, PAM_OPT_DENY, NULL)) { PAM_VERBOSE_ERROR("Member of group %s; denied", |
