pam_rootok(8) + pam.d/sudo symlink to pam.d/su

Brian A. Seklecki lavalamp at spiritual-machines.org
Fri Oct 7 08:56:49 PDT 2005


Every reference(1) to configuring PAM and sudo(8) (in my case, for LDAP), 
suggests just symlinking [/usr/local/]etc/pam.d/sudo to /etc/pam.d/su

However, when I do that, all wheel-group users are automatically passing 
auth requirements due to:

auth            sufficient      pam_rootok.so           no_warn

...which I assume is happening because sudo(8) is running SUID root?

---s--x--x  2 root  wheel  105264 Aug 19 12:36 /usr/local/bin/sudo*

...the problem is, that confuses the visudo(8),sudoers(5) policy by 
effectivly adding:

%wheel        ALL=(ALL)       NOPASSWD: ALL

Is this correct? If so, the docs should probably be updated.

1.:
http://sudo.rtin.bz/sudo/install.html
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/pam-config.html
http://netbsd.org/guide/en/chap-pam.html


More information about the freebsd-questions mailing list