* bug#26827: [PATCH] system: Allow root to run "su" without password.
@ 2017-05-08 10:52 Ricardo Wurmus
2017-05-08 14:41 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Ricardo Wurmus @ 2017-05-08 10:52 UTC (permalink / raw)
To: 26827; +Cc: Ricardo Wurmus
* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
---
gnu/system/pam.scm | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a73..eedf93394 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? motd)
+ (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
"Return a standard Unix-style PAM service for NAME. When
-ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it
-should be a file-like object used as the message-of-the-day."
+ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
+true, allow root to run the command without authentication. When MOTD is
+true, it should be a file-like object used as the message-of-the-day."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(let ((name* name))
(pam-service
(name name*)
(account (list unix))
- (auth (list (if allow-empty-passwords?
- (pam-entry
- (control "required")
- (module "pam_unix.so")
- (arguments '("nullok")))
- unix)))
+ (auth (append (if allow-root?
+ (list (pam-entry
+ (control "sufficient")
+ (module "pam_rootok.so")))
+ '())
+ (list (if allow-empty-passwords?
+ (pam-entry
+ (control "required")
+ (module "pam_unix.so")
+ (arguments '("nullok")))
+ unix))))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
@@ -256,7 +262,12 @@ authenticate to run COMMAND."
;; These programs are setuid-root.
(map (cut unix-pam-service <>
#:allow-empty-passwords? allow-empty-passwords?)
- '("su" "passwd" "sudo"))
+ '("passwd" "sudo"))
+ ;; This is setuid-root, as well. Allow root to run "su" without
+ ;; authenticating.
+ (list (unix-pam-service "su"
+ #:allow-empty-passwords? allow-empty-passwords?
+ #:allow-root? #t))
;; These programs are not setuid-root, and we want root to be able
;; to run them without having to authenticate (notably because
--
2.12.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#26827: [PATCH] system: Allow root to run "su" without password.
2017-05-08 10:52 bug#26827: [PATCH] system: Allow root to run "su" without password Ricardo Wurmus
@ 2017-05-08 14:41 ` Ludovic Courtès
2017-05-08 21:08 ` Ricardo Wurmus
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2017-05-08 14:41 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: 26827
Ricardo Wurmus <rekado@elephly.net> skribis:
> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
> auth field when ALLOW-ROOT? is #T.
> (base-pam-services): Allow root to run "su" without authentication.
LGTM, thanks for fixing it!
Ludo'.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#26827: [PATCH] system: Allow root to run "su" without password.
2017-05-08 14:41 ` Ludovic Courtès
@ 2017-05-08 21:08 ` Ricardo Wurmus
2017-05-08 21:12 ` Ricardo Wurmus
0 siblings, 1 reply; 4+ messages in thread
From: Ricardo Wurmus @ 2017-05-08 21:08 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 26827-done
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>> auth field when ALLOW-ROOT? is #T.
>> (base-pam-services): Allow root to run "su" without authentication.
>
> LGTM, thanks for fixing it!
Thanks for the review!
Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8. I’m
glad it wasn’t so difficult to fix it. This annoyed me for a while, but
I never got around to looking a little more closely…
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#26827: [PATCH] system: Allow root to run "su" without password.
2017-05-08 21:08 ` Ricardo Wurmus
@ 2017-05-08 21:12 ` Ricardo Wurmus
0 siblings, 0 replies; 4+ messages in thread
From: Ricardo Wurmus @ 2017-05-08 21:12 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 26827-done
Ricardo Wurmus <rekado@elephly.net> writes:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> skribis:
>>
>>> * gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
>>> auth field when ALLOW-ROOT? is #T.
>>> (base-pam-services): Allow root to run "su" without authentication.
>>
>> LGTM, thanks for fixing it!
>
> Thanks for the review!
>
> Pushed to master with 0adb8e1f0178a08029583dadcd45cce80150e9d8.
Actually, it was e586257b550918fefaab3970f2c314d6285f54ab. Forgot to
push :)
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-08 21:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-08 10:52 bug#26827: [PATCH] system: Allow root to run "su" without password Ricardo Wurmus
2017-05-08 14:41 ` Ludovic Courtès
2017-05-08 21:08 ` Ricardo Wurmus
2017-05-08 21:12 ` Ricardo Wurmus
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).