Patch for Debian bug #163787 et al

Always use the process uid, not getlogin(), to identify an applicant in
pam_wheel; utmp may be wrong or may have no entry at all in the case of
an xterm

Authors: Ben Collins <bcollins@debian.org>

Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>

Index: pam.deb/modules/pam_wheel/pam_wheel.c
===================================================================
--- pam.deb.orig/modules/pam_wheel/pam_wheel.c
+++ pam.deb/modules/pam_wheel/pam_wheel.c
@@ -60,9 +60,8 @@
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       0x0001
-#define PAM_USE_UID_ARG     0x0002
-#define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010
+#define PAM_TRUST_ARG       0x0002
+#define PAM_DENY_ARG        0x0004
 #define PAM_ROOT_ONLY_ARG   0x0020
 
 static int
@@ -80,8 +79,7 @@
 
           if (!strcmp(*argv,"debug"))
                ctrl |= PAM_DEBUG_ARG;
-          else if (!strcmp(*argv,"use_uid"))
-               ctrl |= PAM_USE_UID_ARG;
+          else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
           else if (!strcmp(*argv,"trust"))
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
@@ -129,27 +127,14 @@
         }
     }
 
-    if (ctrl & PAM_USE_UID_ARG) {
-	tpwd = pam_modutil_getpwuid (pamh, getuid());
-	if (!tpwd) {
-	    if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-	    }
-	    return PAM_SERVICE_ERR;
-	}
-	fromsu = tpwd->pw_name;
-    } else {
-	fromsu = pam_modutil_getlogin(pamh);
-	if (fromsu) {
-	    tpwd = pam_modutil_getpwnam (pamh, fromsu);
-	}
-	if (!fromsu || !tpwd) {
-	    if (ctrl & PAM_DEBUG_ARG) {
-		pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-	    }
-	    return PAM_SERVICE_ERR;
+    tpwd = pam_modutil_getpwuid (pamh, getuid());
+    if (!tpwd) {
+	if (ctrl & PAM_DEBUG_ARG) {
+	    pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
 	}
+	return PAM_SERVICE_ERR;
     }
+    fromsu = tpwd->pw_name;
 
     /*
      * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml
===================================================================
--- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml
+++ pam.deb/modules/pam_wheel/pam_wheel.8.xml
@@ -33,9 +33,6 @@
       <arg choice="opt">
 	trust
       </arg>
-      <arg choice="opt">
-	use_uid
-      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -115,18 +112,6 @@
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>
-          <option>use_uid</option>
-        </term>
-        <listitem>
-          <para>
-            The check for wheel membership will be done against
-            the current uid instead of the original one (useful when
-            jumping with su from one account to another for example).
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
Index: pam.deb/modules/pam_wheel/pam_wheel.8
===================================================================
--- pam.deb.orig/modules/pam_wheel/pam_wheel.8
+++ pam.deb/modules/pam_wheel/pam_wheel.8
@@ -1,64 +1,59 @@
 .\"     Title: pam_wheel
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
-.\"      Date: 04/16/2008
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 07/27/2008
 .\"    Manual: Linux-PAM Manual
 .\"    Source: Linux-PAM Manual
 .\"
-.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_WHEEL" "8" "07/27/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pam_wheel - Only permit root access to members of group wheel
+pam_wheel \- Only permit root access to members of group wheel
 .SH "SYNOPSIS"
 .HP 13
-\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
+\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
 .SH "DESCRIPTION"
 .PP
 The pam_wheel PAM module is used to enforce the so\-called
 \fIwheel\fR
-group\. By default it permits root access to the system if the applicant user is a member of the
+group\&. By default it permits root access to the system if the applicant user is a member of the
 \fIwheel\fR
-group\. If no group with this name exist, the module is using the group with the group\-ID
-\fB0\fR\.
+group\&. If no group with this name exist, the module is using the group with the group\-ID
+\fB0\fR\&.
 .SH "OPTIONS"
 .PP
 \fBdebug\fR
 .RS 4
-Print debug information\.
+Print debug information\&.
 .RE
 .PP
 \fBdeny\fR
 .RS 4
 Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
 \fBgroup\fR
-option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless
+option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless
 \fBtrust\fR
-was also specified, in which case we return PAM_SUCCESS)\.
+was also specified, in which case we return PAM_SUCCESS)\&.
 .RE
 .PP
 \fBgroup=\fR\fB\fIname\fR\fR
 .RS 4
 Instead of checking the wheel or GID 0 groups, use the
 \fB\fIname\fR\fR
-group to perform the authentication\.
+group to perform the authentication\&.
 .RE
 .PP
 \fBroot_only\fR
 .RS 4
-The check for wheel membership is done only\.
+The check for wheel membership is done only\&.
 .RE
 .PP
 \fBtrust\fR
 .RS 4
-The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\.
-.RE
-.PP
-\fBuse_uid\fR
-.RS 4
-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\.
+The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
 .RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
@@ -66,52 +61,52 @@
 \fBauth\fR
 and
 \fBaccount\fR
-services are supported\.
+services are supported\&.
 .SH "RETURN VALUES"
 .PP
 PAM_AUTH_ERR
 .RS 4
-Authentication failure\.
+Authentication failure\&.
 .RE
 .PP
 PAM_BUF_ERR
 .RS 4
-Memory buffer error\.
+Memory buffer error\&.
 .RE
 .PP
 PAM_IGNORE
 .RS 4
-The return value should be ignored by PAM dispatch\.
+The return value should be ignored by PAM dispatch\&.
 .RE
 .PP
 PAM_PERM_DENY
 .RS 4
-Permission denied\.
+Permission denied\&.
 .RE
 .PP
 PAM_SERVICE_ERR
 .RS 4
-Cannot determine the user name\.
+Cannot determine the user name\&.
 .RE
 .PP
 PAM_SUCCESS
 .RS 4
-Success\.
+Success\&.
 .RE
 .PP
 PAM_USER_UNKNOWN
 .RS 4
-User not known\.
+User not known\&.
 .RE
 .SH "EXAMPLES"
 .PP
-The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\.
+The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&.
 .sp
 .RS 4
 .nf
-su      auth     sufficient     pam_rootok\.so
-su      auth     required       pam_wheel\.so
-su      auth     required       pam_unix\.so
+su      auth     sufficient     pam_rootok\&.so
+su      auth     required       pam_wheel\&.so
+su      auth     required       pam_unix\&.so
       
 .fi
 .RE
@@ -124,4 +119,4 @@
 \fBpam\fR(8)
 .SH "AUTHOR"
 .PP
-pam_wheel was written by Cristian Gafton <gafton@redhat\.com>\.
+pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
Index: pam.deb/modules/pam_wheel/README
===================================================================
--- pam.deb.orig/modules/pam_wheel/README
+++ pam.deb/modules/pam_wheel/README
@@ -39,12 +39,6 @@
     modules the wheel members may be able to su to root without being prompted
     for a passwd).
 
-use_uid
-
-    The check for wheel membership will be done against the current uid instead
-    of the original one (useful when jumping with su from one account to
-    another for example).
-
 EXAMPLES
 
 The root account gains access by default (rootok), only wheel members can
