Bug#235804: gksu: problem with pam_wheel.so trust group=adm

Edward J. Shornock "Edward J. Shornock" <eshornoc@comcast.net>, 235804@bugs.debian.org
Wed, 14 Apr 2004 13:18:53 -0400 

Gustavo Noronha Silva wrote:

> Em Ter, 2004-04-13 =C3=A0s 23:23 -0400, Edward J. Shornock escreveu:
> =

> =

>>For awhile now, gksu would hang after inputting root's password, yet th=
e
>>process would still be running.
> =

> =

> Hi=21
> =

> I'm a bit confused. The problem reported by Vinicius seems to be that
> gksu should not ask the root password. Your problem seems to be
> different: you entered the password and gksu would hang after that.
> =


If pam_wheel.so trust is set for a group, I don't think a user should be =
=

prompted for the root password (as is currently the case with gksu).  So =
=

I do have the problem Vinicius had reported as well.  Should I have sent =
=

in two separate reports?  (I want to do this the proper way).

> =

>>Creating a new user, I just added them to the wheel group but NOT to th=
e
>>adm group.  gksu worked as intended.  After I removed my username from
>>the adm group, I could use gksu as well.  Now I just need to input
>>root's password when running =22su=22.
> =

> =

> So, this is what confused me. Do you need to enter the password after
> that?
> =


Sorry, I wasn't absolutely clear, I was typing the report fairly quickly =
=

last night...

I am only prompted for the password by gksu once.  Without the =

=22pam_wheel.so trust group=3Dadm=22 line, the gksu helper process contin=
ues =

as it should.  With that trust line, it should not prompt for the root =

password (and I was prompted for it), but in addition to being prompted =

for the password, gksu-run-helper does not appear to continue.

Being a newbie with pam, those two lines in my /etc/pam.d/su might =

conflict with each other, I do not know.

--cut--
auth        requisite   pam_wheel.so group=3Dwheel debug
auth       sufficient pam_wheel.so trust group=3Dadm
--cut--

I know I do not need that, since I can simply have trust everyone in =

group wheel and totally disregard the adm group.  I do not require this =

functionality--I just read it in a HOWTO somewhere...

Others might need/want the ability to require users to be part of the =

wheel group to su, and in addition, not require another group to input =

the password. To clarify:  If user is a member of wheel, they can =22su=22=
 =

to root.  If they are a member of wheel AND adm, they don't need a passwo=
rd.

If any more information or clarification is needed, please let me know.


> Thanks,
> =

> =


Thank you for your attention,

Edward Shornock