Em Fri, Jan 04, 2002 at 01:19:43PM -0500, Swanson, Bryan escreveu:
> note the use of pam_rootok to prevent root from having to supply
> a user's password ... also non-wheel members can't su to uid 0
I tried pam_rootok but it had no effect. Actually, su returns from
the password check routine if uid=0, so it's as if pam_rootok were
there.
I even tried using only pam_permit.so in /etc/pam.d/su, for all
classes, and still couldn't make root su to somebody else (regular
users could su to anybody without passwords as expected from this
change, though).
Using your /etc/pam.d/su file also didn't make it work.
Applying the following patch from RH (one of those 50) worked for me. If
this is correct, I suppose it would be nice to have someone more
familiar with pam development to take a look at the other 49 patches
and see if there are any more things that could be added to the official
linux-pam tree.
------------------------------------------------------------------------------
If the application wants to close a session it hasn't opened, we shouldn't fail
outright, but return the result of running the stack.
--- Linux-PAM-0.75/libpam/pam_dispatch.c
+++ Linux-PAM-0.75/libpam/pam_dispatch.c
@@ -99,10 +99,14 @@
return retval;
}
+ cached_retval = -1;
+
if (use_cached_chain) {
/* a former stack execution has frozen the chain */
cached_retval = *(h->cached_retval_p);
- } else {
+ }
+
+ if (cached_retval == -1) {
/* this stack execution is defining the frozen chain */
cached_retval = h->cached_retval = retval;
}
