[Whonix-devel] Appropriate place to ask questions on how Debian derivatives would best interact with Debian's implementation of pam?
adrelanos at riseup.net
Sat Jul 13 15:46:00 CEST 2019
below attached is a question on the subject of pam integration in Debian
by derivatives of Debian.
What would be an appropriate place to ask such questions, a
libpam-runtime wishlist report? Or is there a more appropriate place to ask?
cc'd whonix-devel mailing list so all our readers can benefit from your
X-Debbugs-CC: whonix-devel at whonix.org
The Whonix project (I am representing now) using package security-misc
would like modify /etc/pam.d/su. Remove
#auth required pam_wheel.so
And replace it by:
auth required pam_wheel.so
Of course we're not adamant about the way this gets implemented. Clean /
standard conform way preferred. What we really want to accomplish is
"force users to be a member of group root before they can use `su'".
Would implementing this this by shipping a file
/usr/share/pam-configs/wheel with the following contents...:
Name: group root membership required to use su (by package security-misc)
...be a sane way to implement this?
Or would we have to fork util-linux to edit /etc/pam.d/su? That would be
a too heavyweight solution for us. Or is config-package-dev displace
/etc/pam.d/su actually an OK idea?
This might also be interesting to know for other derivatives of Debian.
Such as. The Qubes project made a modification to /etc/pam.d/su. 
Perhaps not the correct way?
More information about the Whonix-devel