pam_rootok(8) + pam.d/sudo symlink to pam.d/su

Brian A. Seklecki lavalamp at
Fri Oct 7 08:56:49 PDT 2005

Every reference(1) to configuring PAM and sudo(8) (in my case, for LDAP), 
suggests just symlinking [/usr/local/]etc/pam.d/sudo to /etc/pam.d/su

However, when I do that, all wheel-group users are automatically passing 
auth requirements due to:

auth            sufficient           no_warn

...which I assume is happening because sudo(8) is running SUID root?

---s--x--x  2 root  wheel  105264 Aug 19 12:36 /usr/local/bin/sudo*

...the problem is, that confuses the visudo(8),sudoers(5) policy by 
effectivly adding:

%wheel        ALL=(ALL)       NOPASSWD: ALL

Is this correct? If so, the docs should probably be updated.


More information about the freebsd-questions mailing list