[Whonix-devel] Appropriate place to ask questions on how Debian derivatives would best interact with Debian's implementation of pam?

Sat Jul 13 15:46:00 CEST 2019

Hello Steve,

below attached is a question on the subject of pam integration in Debian
by derivatives of Debian.

What would be an appropriate place to ask such questions, a
libpam-runtime wishlist report? Or is there a more appropriate place to ask?

cc'd whonix-devel mailing list so all our readers can benefit from your
reply.

Kind regards,
Patrick

Package: libpam-runtime
Severity: wishlist
X-Debbugs-CC: whonix-devel at whonix.org

The Whonix project (I am representing now) using package security-misc
would like modify /etc/pam.d/su. Remove
#auth       required   pam_wheel.so
And replace it by:
auth       required   pam_wheel.so

Of course we're not adamant about the way this gets implemented. Clean /
standard conform way preferred. What we really want to accomplish is
"force users to be a member of group root before they can use `su'".

Would implementing this this by shipping a file
/usr/share/pam-configs/wheel with the following contents...:

Name: group root membership required to use su (by package security-misc)
Default: yes
Priority: 260
Auth-Type: Primary
Auth:
	required	pam_wheel.so

...be a sane way to implement this?

Or would we have to fork util-linux to edit /etc/pam.d/su? That would be
a too heavyweight solution for us. Or is config-package-dev displace
/etc/pam.d/su actually an OK idea?

This might also be interesting to know for other derivatives of Debian.
Such as. The Qubes project made a modification to /etc/pam.d/su. [1]
Perhaps not the correct way?

/etc/pam.d/common-password

[1] https://github.com/QubesOS/qubes-issues/issues/1128