current-users: Re: su and PAM

Subject: Re: su and PAM
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: None <sigsegv@rambler.ru>
List: current-users
Date: 03/22/2005 03:09:51
Steven M. Bellovin wrote:
> In message <423F88D5.9020700@rambler.ru>, sigsegv@rambler.ru writes:
> 
>>I've just installed base system from netbsd-3 tree and noticed users 
>>belonging to group 'wheel' can gain root access by running 'su', without 
>>password prompt.
>>Is this intentional?
>>
> 
> I can't reproduce that.  I just upgraded to 3.99.1 from Saturday, 
> leaving all of the PAM stuff as defaults, and I see a password prompt 
> when I type 'su'.
> 
> 
> 		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> 
> 
> 

Dude, I'm running 3.0_BETA, src tree was updated today
Below is the log attributed to running 'su'
Any ideas? Something seems broken.

Mar 22 00:53:36 u10 su: in pam_start(): entering
Mar 22 00:53:36 u10 su: in pam_set_item(): entering: PAM_SERVICE
Mar 22 00:53:36 u10 su: in pam_set_item(): returning PAM_SUCCESS
Mar 22 00:53:36 u10 su: in pam_set_item(): entering: PAM_USER
Mar 22 00:53:36 u10 su: in pam_set_item(): returning PAM_SUCCESS
Mar 22 00:53:36 u10 su: in pam_set_item(): entering: PAM_CONV
Mar 22 00:53:36 u10 su: in pam_set_item(): returning PAM_SUCCESS
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
pam_sm_acct_mgmt(): Undefin
ed symbol "pam_sm_acct_mgmt"
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
pam_sm_open_session(): Unde
fined symbol "pam_sm_open_session"
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
pam_sm_close_session(): Und
efined symbol "pam_sm_close_session"
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
pam_sm_chauthtok(): Undefin
ed symbol "pam_sm_chauthtok"
Mar 22 00:53:36 u10 su: in openpam_load_module(): using dynamic 
pam_rootok.so
Mar 22 00:53:36 u10 su: in openpam_load_module(): adding pam_rootok.so 
to cache
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_self.so: 
pam_sm_acct_mgmt(): Undefined
  symbol "pam_sm_acct_mgmt"
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_self.so: 
pam_sm_open_session(): Undefi
ned symbol "pam_sm_open_session"
Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_self.so: 
pam_sm_close_session(): Undef
ined symbol "pam_sm_close_session"
Mar 22 00:53:36 u10 su: in openpam_dispatch(): pam_self.so: 
pam_sm_setcred(): success
Mar 22 00:53:36 u10 su: in openpam_get_option(): entering: 'debug'
Mar 22 00:53:36 u10 su: in openpam_get_option(): returning NULL
Mar 22 00:53:36 u10 su: in openpam_dispatch(): calling pam_sm_setcred() 
in pam_ksu.so
Mar 22 00:53:36 u10 su: in openpam_dispatch(): pam_ksu.so: 
pam_sm_setcred(): success
Mar 22 00:53:36 u10 su: in openpam_get_option(): entering: 'debug'
Mar 22 00:53:36 u10 su: in openpam_get_option(): returning NULL
Mar 22 00:53:36 u10 su: in openpam_dispatch(): calling pam_sm_setcred() 
in pam_group.so
Mar 22 00:53:36 u10 su: in openpam_dispatch(): pam_group.so: 
pam_sm_setcred(): success
Mar 22 00:53:36 u10 su: in openpam_get_option(): entering: 'debug'
Mar 22 00:53:36 u10 su: in openpam_get_option(): returning NULL
Mar 22 00:53:36 u10 su: in openpam_dispatch(): calling pam_sm_setcred() 
in pam_unix.so
Mar 22 00:53:36 u10 su: in openpam_dispatch(): pam_unix.so: 
pam_sm_setcred(): success
Mar 22 00:53:36 u10 su: in openpam_dispatch(): returning PAM_SUCCESS
Mar 22 00:53:36 u10 su: in pam_setcred(): returning PAM_SUCCESS
Mar 22 00:53:36 u10 su: roman to root on /dev/ttyp1