From nobody@FreeBSD.org  Tue Jul 31 04:36:15 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C108E37B403
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Jul 2001 04:36:07 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f6VBa7g25013;
	Tue, 31 Jul 2001 04:36:07 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200107311136.f6VBa7g25013@freefall.freebsd.org>
Date: Tue, 31 Jul 2001 04:36:07 -0700 (PDT)
From: Joshua Goodall <joshua@roughtrade.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pam_wheel does not check primary group id
X-Send-Pr-Version: www-1.0

>Number:         29349
>Category:       bin
>Synopsis:       pam_wheel does not check primary group id
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 31 04:40:01 PDT 2001
>Closed-Date:    Sat Aug 4 02:20:28 PDT 2001
>Last-Modified:  Sat Aug 04 02:21:08 PDT 2001
>Originator:     Joshua Goodall
>Release:        -CURRENT
>Organization:
>Environment:
-CURRENT as of May 26 09:52:36 2001
>Description:
pam_wheel, and therefore, su(1) does not allow a user who is a member of group 0 (in /etc/passwd) to 'su root' unless they are also explicitly listed in /etc/group.

From 'man group':
	A user is automatically in a group if that group was specified
	in their /etc/passwd entry and does not need to be added to
	that group in the /etc/group file.

>How-To-Repeat:
Add a user to group 0, but don't add them to /etc/group.
Try to 'su root'.

>Fix:
Doesn't this sound very like PR bin/6696?

Add appropriate gid check? maybe something like the following diff (builds, not tested).

Index: pam_wheel.c
===================================================================
RCS file: /data/joshua/bsd/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v
retrieving revision 1.2
diff -u -r1.2 pam_wheel.c
--- pam_wheel.c	2001/07/14 08:42:39	1.2
+++ pam_wheel.c	2001/07/31 11:21:11
@@ -122,7 +122,7 @@

	PAM_LOG("Got group: %s", grp->gr_name);

-	if (in_list(grp->gr_mem, fromsu)) {
+	if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, fromsu)) {
		if (pam_test_option(&options, PAM_OPT_DENY, NULL))
			PAM_RETURN(PAM_PERM_DENIED);
		if (pam_test_option(&options, PAM_OPT_TRUST, NULL))

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Tue Jul 31 06:58:44 PDT 2001 
Responsible-Changed-Why:  
Mark's our pam head. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29349 

From: Sheldon Hearn <sheldonh@starjuice.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/29349: pam_wheel does not check primary group id
Date: Fri, 03 Aug 2001 17:06:34 +0200

 The patch looks good and tests okay over here.
 
 While testing, I was disappointed to see that we're back to square one
 with su(1) providing no useful information for the various kinds of
 authentication failure.
 
 Does pam have some "verbose messages to stderr, please" option that we
 could turn on if the user specified -v to su?
 
 Ciao,
 Sheldon.
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Sat Aug 4 02:20:28 PDT 2001 
State-Changed-Why:  
Fixed. Thanks for the report! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29349 
>Unformatted:
