aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrederic Lepied <flepied@mandriva.com>2005-09-19 14:50:09 +0000
committerFrederic Lepied <flepied@mandriva.com>2005-09-19 14:50:09 +0000
commit1ece7e5ab54efb14d5a664d9eaa78753e40809cc (patch)
treee1e51108befb3c97322b8019550b8e39b44622e4
parent261cd4c24f66e2922fcf717337ce3cb232592479 (diff)
downloadmsec-1ece7e5ab54efb14d5a664d9eaa78753e40809cc.tar
msec-1ece7e5ab54efb14d5a664d9eaa78753e40809cc.tar.gz
msec-1ece7e5ab54efb14d5a664d9eaa78753e40809cc.tar.bz2
msec-1ece7e5ab54efb14d5a664d9eaa78753e40809cc.tar.xz
msec-1ece7e5ab54efb14d5a664d9eaa78753e40809cc.zip
enable_pam_root_from_wheel: fixed too laxist config in level 2 (bug #18403).
-rw-r--r--share/libmsec.py36
1 files changed, 26 insertions, 10 deletions
diff --git a/share/libmsec.py b/share/libmsec.py
index 7ee1812..7108844 100644
--- a/share/libmsec.py
+++ b/share/libmsec.py
@@ -71,6 +71,7 @@ SERVER = '/etc/security/msec/server'
SHADOW = '/etc/shadow'
SHUTDOWN = '/usr/bin/shutdown'
SHUTDOWNALLOW = '/etc/shutdown.allow'
+SIMPLE_ROOT_AUTHEN = '/etc/pam.d/simple_root_authen'
SSHDCONFIG = '/etc/ssh/sshd_config'
STARTX = '/usr/X11R6/bin/startx'
SU = '/etc/pam.d/su'
@@ -634,28 +635,43 @@ enable_pam_wheel_for_su.arg_trans = YES_NO_TRANS
################################################################################
+SUCCEED_MATCH = '^auth\s+sufficient\s+pam_succeed_if.so\s+use_uid\s+user\s+ingroup\s+wheel\s*$'
+SUCCEED_LINE = 'auth sufficient pam_succeed_if.so use_uid user ingroup wheel'
+
def enable_pam_root_from_wheel(arg):
''' Allow root access without password for the members of the wheel group.'''
- system_auth = ConfigFile.get_config_file(SYSTEM_AUTH)
-
- if not system_auth.exists():
+ su = ConfigFile.get_config_file(SU)
+ simple = ConfigFile.get_config_file(SIMPLE_ROOT_AUTHEN)
+
+ if not su.exists():
return
- val = system_auth.get_match('^auth\s+sufficient\s+pam_succeed_if.so\s+use_uid\s+user\s+ingroup\s+wheel\s*$')
-
+ val = su.get_match(SUCCEED_MATCH)
+
+ if simple.exists():
+ val_simple = simple.get_match(SUCCEED_MATCH)
+ else:
+ val_simple = False
+
# don't lower security when not changing security level
if same_level():
- if not val:
+ if not val and not val_simple:
return
if arg:
- if not val:
+ if not val or (simple.exists() and not val_simple):
_interactive and log(_('Allowing transparent root access for wheel group members'))
- system_auth.insert_after('^auth\s+required', 'auth sufficient pam_succeed_if.so use_uid user ingroup wheel')
+ if not val:
+ su.insert_before('^auth\s+required', SUCCEED_LINE)
+ if simple.exists() and not val_simple:
+ simple.insert_before('^auth\s+required', SUCCEED_LINE)
else:
- if val:
+ if val or (simple.exists() and val_simple):
_interactive and log(_('Disabling transparent root access for wheel group members'))
- system_auth.remove_line_matching('^auth\s+sufficient\s+pam_succeed_if.so\s+use_uid\s+user\s+ingroup\s+wheel\s*$')
+ if val:
+ su.remove_line_matching(SUCCEED_MATCH)
+ if simple.exists() and val_simple:
+ simple.remove_line_matching(SUCCEED_MATCH)
enable_pam_root_from_wheel.arg_trans = YES_NO_TRANS