X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=coreutils-pam.patch;h=6c2b01ee4ed1cce01eac52f9055ec88d8d93f249;hb=e80ed3e54531ed18ae00d741754bc7b242fab09b;hp=cbbc6a5b7684f9aea7e25d506bc7c7b9dae3c862;hpb=40ce7301a5820c5b1653c289536a276cc15b7951;p=packages%2Fcoreutils.git diff --git a/coreutils-pam.patch b/coreutils-pam.patch index cbbc6a5..6c2b01e 100644 --- a/coreutils-pam.patch +++ b/coreutils-pam.patch @@ -1,86 +1,17 @@ -diff -Nur sh-utils-2.0.12.orig/configure.ac sh-utils-2.0.12/configure.ac ---- sh-utils-2.0.12.orig/configure.ac Sun Apr 28 11:29:18 2002 -+++ sh-utils-2.0.12/configure.ac Mon May 27 23:10:36 2002 -@@ -8,6 +8,13 @@ +--- coreutils-6.7/src/Makefile.am.pam 2006-11-24 21:28:10.000000000 +0000 ++++ coreutils-6.7/src/Makefile.am 2007-01-09 17:00:01.000000000 +0000 +@@ -359,7 +359,7 @@ + uptime_LDADD += $(GETLOADAVG_LIBS) - AM_INIT_AUTOMAKE([1.6b gnits dist-bzip2]) + # for crypt +-su_LDADD += $(LIB_CRYPT) ++su_LDADD += $(LIB_CRYPT) $(LIB_PAM) -+dnl Give the chance to enable PAM -+AC_ARG_ENABLE(pam, dnl -+[ --enable-pam Enable use of the PAM libraries], -+AC_DEFINE(USE_PAM,,[Use PAM?]) -+LIB_PAM="-ldl -lpam -lpam_misc" -+) -+ - AC_GNU_SOURCE - jm_PERL - AC_PROG_CC -@@ -238,6 +245,13 @@ - - AM_GNU_GETTEXT([external]) - -+# just in case we want PAM -+AC_SUBST(LIB_PAM) -+# with PAM su doesn't need libcrypt -+if test -n "$LIB_PAM" ; then -+ LIB_CRYPT= -+fi -+ - AC_CONFIG_FILES( - Makefile - doc/Makefile -diff -Nur sh-utils-2.0.12.orig/doc/coreutils.texi sh-utils-2.0.12/doc/coreutils.texi ---- sh-utils-2.0.12.orig/doc/coreutils.texi Sun Apr 28 23:55:31 2002 -+++ sh-utils-2.0.12/doc/coreutils.texi Mon May 27 23:11:49 2002 -@@ -10898,32 +10898,6 @@ - - @end table - --@cindex wheel group, not supported --@cindex group wheel, not supported --@cindex fascism --@heading Why GNU @command{su} does not support the @samp{wheel} group -- --(This section is by Richard Stallman.) -- --@cindex Twenex --@cindex MIT AI lab --Sometimes a few of the users try to hold total power over all the --rest. For example, in 1984, a few users at the MIT AI lab decided to --seize power by changing the operator password on the Twenex system and --keeping it secret from everyone else. (I was able to thwart this coup --and give power back to the users by patching the kernel, but I --wouldn't know how to do that in Unix.) -- --However, occasionally the rulers do tell someone. Under the usual --@command{su} mechanism, once someone learns the root password who --sympathizes with the ordinary users, he or she can tell the rest. The --``wheel group'' feature would make this impossible, and thus cement the --power of the rulers. -- --I'm on the side of the masses, not that of the rulers. If you are --used to supporting the bosses and sysadmins in whatever they do, you --might find this idea strange at first. -- - - @node Process control - @chapter Process control -diff -Nur sh-utils-2.0.12.orig/src/Makefile.am sh-utils-2.0.12/src/Makefile.am ---- sh-utils-2.0.12.orig/src/Makefile.am Mon May 27 23:06:24 2002 -+++ sh-utils-2.0.12/src/Makefile.am Mon May 27 23:09:22 2002 -@@ -47,7 +47,7 @@ - - uptime_LDADD = $(LDADD) @GETLOADAVG_LIBS@ - --su_LDADD = $(LDADD) @LIB_CRYPT@ -+su_LDADD = $(LDADD) @LIB_CRYPT@ @LIB_PAM@ - - $(PROGRAMS): ../lib/libfetish.a - -diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c ---- sh-utils-2.0.12.orig/src/su.c Mon May 27 23:06:24 2002 -+++ sh-utils-2.0.12/src/su.c Mon May 27 23:08:28 2002 -@@ -38,6 +38,16 @@ + # for various ACL functions + copy_LDADD += $(LIB_ACL) +--- coreutils-6.10/src/su.c.orig 2007-11-25 14:23:31.000000000 +0100 ++++ coreutils-6.10/src/su.c 2008-03-02 02:07:13.568059486 +0100 +@@ -37,6 +37,16 @@ restricts who can su to UID 0 accounts. RMS considers that to be fascist. @@ -94,44 +25,45 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c + +#endif + - Options: - -, -l, --login Make the subshell a login shell. - Unset all environment variables except -@@ -81,6 +91,14 @@ + Compile-time options: + -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. + -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. +@@ -58,6 +68,15 @@ prototype (returning `int') in . */ #define getusershell _getusershell_sys_proto_ +#ifdef USE_PAM -+# include -+# include +# include +# include +# include ++# include ++# include ++# include +#endif /* USE_PAM */ + #include "system.h" - #include "closeout.h" - #include "dirname.h" -@@ -151,7 +169,9 @@ + #include "getpass.h" + +@@ -130,10 +130,17 @@ /* The user to become if none is specified. */ #define DEFAULT_USER "root" +#ifndef USE_PAM - char *crypt (); + char *crypt (char const *key, char const *salt); +#endif - char *getpass (); - char *getusershell (); - void endusershell (); -@@ -159,7 +179,7 @@ - - extern char **environ; --static void run_shell (const char *, const char *, char **) -+static void run_shell (const char *, const char *, char **, const struct passwd *) +-static void run_shell (char const *, char const *, char **, size_t) ++static void run_shell (char const *, char const *, char **, size_t, ++ const struct passwd *) ++#ifdef USE_PAM ++ ; ++#else ATTRIBUTE_NORETURN; ++#endif - /* The name this program was run with. */ -@@ -272,7 +292,22 @@ + /* If true, pass the `-f' option to the subshell. */ + static bool fast_startup; +@@ -215,7 +241,26 @@ } #endif @@ -147,35 +79,54 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c + pam_end(pamh, PAM_SUCCESS); \ + return 0; \ +} ++#define PAM_BAIL_P_VOID if (retval) { \ ++ pam_end(pamh, PAM_SUCCESS); \ ++return; \ ++} +#endif + /* Ask the user for a password. + If PAM is in use, let PAM ask for the password if necessary. - Return 1 if the user gives the correct password for entry PW, - 0 if not. Return 1 without asking for a password if run by UID 0 + Return true if the user gives the correct password for entry PW, + false if not. Return true without asking for a password if run by UID 0 or if PW has an empty password. */ -@@ -280,6 +315,29 @@ - static int +@@ -223,6 +268,44 @@ + static bool correct_password (const struct passwd *pw) { +#ifdef USE_PAM -+ /* root always succeeds; this isn't an authentication question (no -+ * extra privs are being granted) so it shouldn't authenticate with PAM. -+ * However, we want to create the pam_handle so that proper credentials -+ * are created later with pam_setcred(). */ ++ struct passwd *caller; ++ char *tty_name, *ttyn; + retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh); + PAM_BAIL_P; + ++ if (getuid() != 0 && !isatty(0)) { ++ fprintf(stderr, _("standard in must be a tty\n")); ++ exit(1); ++ } ++ ++ caller = getpwuid(getuid()); ++ if(caller != NULL && caller->pw_name != NULL) { ++ retval = pam_set_item(pamh, PAM_RUSER, caller->pw_name); ++ PAM_BAIL_P; ++ } ++ ++ ttyn = ttyname(0); ++ if (ttyn) { ++ if (strncmp(ttyn, "/dev/", 5) == 0) ++ tty_name = ttyn+5; ++ else ++ tty_name = ttyn; ++ retval = pam_set_item(pamh, PAM_TTY, tty_name); ++ PAM_BAIL_P; ++ } + retval = pam_authenticate(pamh, 0); + PAM_BAIL_P; -+ + retval = pam_acct_mgmt(pamh, 0); -+ if (retval == PAM_NEW_AUTHTOK_REQD) { ++ if (retval == PAM_NEW_AUTHTOK_REQD && getuid()) { + /* password has expired. Offer option to change it. */ -+ if (getuid()) { -+ retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ PAM_BAIL_P; -+ } else retval = PAM_SUCCESS; ++ retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ PAM_BAIL_P; + } + PAM_BAIL_P; + /* must be authenticated if this point was reached */ @@ -184,48 +135,49 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c char *unencrypted, *encrypted, *correct; #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP /* Shadow passwd stuff for SVR3 and maybe other systems. */ -@@ -304,6 +362,7 @@ +@@ -247,6 +330,7 @@ encrypted = crypt (unencrypted, correct); memset (unencrypted, 0, strlen (unencrypted)); - return strcmp (encrypted, correct) == 0; + return STREQ (encrypted, correct); +#endif /* !USE_PAM */ } /* Update `environ' for the new shell based on PW, with SHELL being -@@ -313,16 +372,20 @@ - modify_environment (const struct passwd *pw, const char *shell) - { - char *term; -+ char *display; - - if (simulate_login) - { -- /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH. -+ /* Leave TERM, DISPLAY unchanged. Set HOME, SHELL, USER, LOGNAME, PATH. +@@ -260,12 +344,18 @@ + /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH. Unset all other environment variables. */ - term = getenv ("TERM"); -+ display = getenv ("DISPLAY"); - environ = (char **) xmalloc (2 * sizeof (char *)); - environ[0] = 0; + char const *term = getenv ("TERM"); ++ char const *display = getenv ("DISPLAY"); ++ char const *xauthority = getenv ("XAUTHORITY"); + if (term) + term = xstrdup (term); + environ = xmalloc ((6 + !!term) * sizeof (char *)); + environ[0] = NULL; if (term) - xputenv (concat ("TERM", "=", term)); + xsetenv ("TERM", term); + if (display) -+ xputenv (concat ("DISPLAY", "=", display)); - xputenv (concat ("HOME", "=", pw->pw_dir)); - xputenv (concat ("SHELL", "=", shell)); - xputenv (concat ("USER", "=", pw->pw_name)); -@@ -359,23 +422,73 @@ - error (EXIT_FAILURE, errno, _("cannot set groups")); ++ xsetenv ("DISPLAY", display); ++ if (xauthority) ++ xsetenv ("XAUTHORITY", xauthority); + xsetenv ("HOME", pw->pw_dir); + xsetenv ("SHELL", shell); + xsetenv ("USER", pw->pw_name); +@@ -373,8 +373,13 @@ + { + #ifdef HAVE_INITGROUPS + errno = 0; +- if (initgroups (pw->pw_name, pw->pw_gid) == -1) ++ if (initgroups (pw->pw_name, pw->pw_gid) == -1) { ++#ifdef USE_PAM ++ pam_close_session(pamh, 0); ++ pam_end(pamh, PAM_ABORT); ++#endif + error (EXIT_CANCELED, errno, _("cannot set groups")); ++ } endgrent (); #endif -+#ifdef USE_PAM -+ retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); -+ if (retval != PAM_SUCCESS) -+ error (1, 0, pam_strerror(pamh, retval)); -+#endif /* USE_PAM */ if (setgid (pw->pw_gid)) - error (EXIT_FAILURE, errno, _("cannot set group id")); - if (setuid (pw->pw_uid)) +@@ -308,6 +403,31 @@ error (EXIT_FAILURE, errno, _("cannot set user id")); } @@ -245,7 +197,8 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c + env = pam_getenvlist(pamh); + if(env) { + while(*env) { -+ xputenv(*env); ++ if (putenv (*env)) ++ xalloc_die (); + env++; + } + } @@ -255,15 +208,17 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c + /* Run SHELL, or DEFAULT_SHELL if SHELL is empty. If COMMAND is nonzero, pass it to the shell with the -c option. - If ADDITIONAL_ARGS is nonzero, pass it to the shell as more - arguments. */ + Pass ADDITIONAL_ARGS to the shell as more arguments; there +@@ -315,17 +435,49 @@ static void --run_shell (const char *shell, const char *command, char **additional_args) -+run_shell (const char *shell, const char *command, char **additional_args, const struct passwd *pw) + run_shell (char const *shell, char const *command, char **additional_args, +- size_t n_additional_args) ++ size_t n_additional_args, const struct passwd *pw) { - const char **args; - int argno = 1; + size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1; + char const **args = xnmalloc (n_args, sizeof *args); + size_t argno = 1; +#ifdef USE_PAM + int child; + sigset_t ourset; @@ -280,22 +235,41 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c +*/ + if(pam_copyenv(pamh) != PAM_SUCCESS) + fprintf (stderr, _("error copying PAM environment\n")); - ++ ++ /* Credentials should be set in the parent */ ++ if (pam_setcred(pamh, PAM_ESTABLISH_CRED) != PAM_SUCCESS) { ++ pam_close_session(pamh, 0); ++ fprintf(stderr, _("could not set PAM credentials\n")); ++ exit(1); ++ } ++ + child = fork(); + if (child == 0) { /* child shell */ + change_identity (pw); + pam_end(pamh, 0); +#endif - if (additional_args) - args = (const char **) xmalloc (sizeof (char *) - * (10 + elements (additional_args))); -@@ -408,6 +521,61 @@ - error (0, errno, "%s", shell); - exit (exit_status); + + if (simulate_login) + { + char *arg0; + char *shell_basename; + ++ if(chdir(pw->pw_dir)) ++ error(0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); ++ + shell_basename = last_component (shell); + arg0 = xmalloc (strlen (shell_basename) + 2); + arg0[0] = '-'; +@@ -350,6 +502,66 @@ + error (0, errno, "%s", shell); + exit (exit_status); } +#ifdef USE_PAM + } else if (child == -1) { + fprintf(stderr, _("can not fork user shell: %s"), strerror(errno)); ++ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); ++ pam_close_session(pamh, 0); ++ pam_end(pamh, PAM_ABORT); + exit(1); + } + /* parent only */ @@ -336,34 +310,401 @@ diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c + fprintf(stderr, _("\nSession terminated, killing shell...")); + kill (child, SIGTERM); + } ++ /* Not checking retval on this because we need to call close session */ ++ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + retval = pam_close_session(pamh, 0); -+ PAM_BAIL_P; ++ PAM_BAIL_P_VOID; + retval = pam_end(pamh, PAM_SUCCESS); -+ PAM_BAIL_P; ++ PAM_BAIL_P_VOID; + if (caught) { + sleep(2); + kill(child, SIGKILL); -+ fprintf(stderr, _(" killed.\n")); ++ fprintf(stderr, _(" ...killed.\n")); + exit(-1); + } + exit (WEXITSTATUS(status)); +#endif /* USE_PAM */ } - /* Return 1 if SHELL is a restricted shell (one not returned by -@@ -580,9 +748,14 @@ - } + /* Return true if SHELL is a restricted shell (one not returned by +@@ -714,9 +714,9 @@ + shell = xstrdup (shell ? shell : pw->pw_shell); modify_environment (pw, shell); -+ -+#ifdef USE_PAM -+ setfsuid(pw->pw_uid); -+#else ++#ifndef USE_PAM change_identity (pw); +- if (simulate_login && chdir (pw->pw_dir) != 0) +- error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); +#endif - if (simulate_login && chdir (pw->pw_dir)) - error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); -- run_shell (shell, command, additional_args); -+ run_shell (shell, command, additional_args, pw); + /* error() flushes stderr, but does not check for write failure. + Normally, we would catch this via our atexit() hook of +@@ -726,5 +726,5 @@ + if (ferror (stderr)) + exit (EXIT_CANCELED); + +- run_shell (shell, command, argv + optind, MAX (0, argc - optind)); ++ run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw); } +--- coreutils-6.7/doc/coreutils.texi.pam 2006-10-27 15:30:48.000000000 +0100 ++++ coreutils-6.7/doc/coreutils.texi 2007-01-09 17:00:01.000000000 +0000 +@@ -13395,8 +13395,11 @@ + @findex syslog + @command{su} can optionally be compiled to use @code{syslog} to report + failed, and optionally successful, @command{su} attempts. (If the system +-supports @code{syslog}.) However, GNU @command{su} does not check if the +-user is a member of the @code{wheel} group; see below. ++supports @code{syslog}.) ++ ++This version of @command{su} has support for using PAM for ++authentication. You can edit @file{/etc/pam.d/su} to customize its ++behaviour. + + The program accepts the following options. Also see @ref{Common options}. + +@@ -11892,32 +11892,6 @@ + the exit status of the subshell otherwise + @end display + +-@cindex wheel group, not supported +-@cindex group wheel, not supported +-@cindex fascism +-@subsection Why GNU @command{su} does not support the @samp{wheel} group +- +-(This section is by Richard Stallman.) +- +-@cindex Twenex +-@cindex MIT AI lab +-Sometimes a few of the users try to hold total power over all the +-rest. For example, in 1984, a few users at the MIT AI lab decided to +-seize power by changing the operator password on the Twenex system and +-keeping it secret from everyone else. (I was able to thwart this coup +-and give power back to the users by patching the kernel, but I +-wouldn't know how to do that in Unix.) +- +-However, occasionally the rulers do tell someone. Under the usual +-@command{su} mechanism, once someone learns the root password who +-sympathizes with the ordinary users, he or she can tell the rest. The +-``wheel group'' feature would make this impossible, and thus cement the +-power of the rulers. +- +-I'm on the side of the masses, not that of the rulers. If you are +-used to supporting the bosses and sysadmins in whatever they do, you +-might find this idea strange at first. +- + + @node Delaying + @chapter Delaying +--- coreutils-6.10/configure.ac.orig 2008-01-13 09:14:23.000000000 +0100 ++++ coreutils-6.10/configure.ac 2008-03-02 02:08:10.027276914 +0100 +@@ -44,6 +44,13 @@ + gl_INIT + coreutils_MACROS + ++dnl Give the chance to enable PAM ++AC_ARG_ENABLE(pam, dnl ++[ --enable-pam Enable use of the PAM libraries], ++AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) ++LIB_PAM="-ldl -lpam -lpam_misc" ++) ++ + AC_FUNC_FORK + + optional_bin_progs= +@@ -332,6 +339,13 @@ + AM_GNU_GETTEXT([external], [need-formatstring-macros]) + AM_GNU_GETTEXT_VERSION([0.15]) + ++# just in case we want PAM ++AC_SUBST(LIB_PAM) ++# with PAM su doesn't need libcrypt ++if test -n "$LIB_PAM" ; then ++ LIB_CRYPT= ++fi ++ + AC_CONFIG_FILES( + Makefile + doc/Makefile +--- coreutils-6.10/po/pl.po.orig 2008-01-16 21:22:08.000000000 +0100 ++++ coreutils-6.10/po/pl.po 2008-03-02 02:09:23.671473657 +0100 +@@ -8875,6 +8875,49 @@ + msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n" + msgstr "Składnia: %s [OPCJA]... [-] [UÅ»YTKOWNIK [ARGUMENT]...]\n" + ++#: src/su.c:300 ++msgid "standard in must be a tty\n\n" ++msgstr "standardowe wejście musi być terminalem\n" ++ ++#: src/su.c:425 ++msgid "could not open session\n" ++msgstr "nie można otworzyć sesji\n" ++ ++#: src/su.c:433 ++msgid "error copying PAM environment\n" ++msgstr "błąd podczas kopiowania środowiska PAM\n" ++ ++#: src/su.c:450 ++msgid "could not set PAM credentials\n" ++msgstr "błąd podczas ustawiania uwierzytelnienia PAM\n" ++ ++#: src/su.c:471 ++#, c-format ++msgid "cannot fork user shell: %s" ++msgstr "nie można utworzyć procesu powłoki użytkownika: %s" ++ ++#: src/su.c:477 ++#, c-format ++msgid "%s: signal malfunction\n" ++msgstr "%s: błędne działanie sygnałów\n" ++ ++#: src/su.c:490 ++#, c-format ++msgid "%s: signal masking malfunction\n" ++msgstr "%s: błędne działanie maskowania sygnałów\n" ++ ++#: src/su.c:509 ++msgid "" ++"\n" ++"Session terminated, killing shell..." ++msgstr "" ++"\n" ++"Sesja zakończona, zabijanie powłoki..." ++ ++#: src/su.c:519 ++msgid " killed.\n" ++msgstr " zabito.\n" ++ + #: src/su.c:382 + msgid "" + "Change the effective user id and group id to that of USER.\n" +diff -Nur coreutils-5.2.1.orig/man/es/su.1 coreutils-5.2.1/man/es/su.1 +--- coreutils-5.2.1.orig/man/es/su.1 Mon Apr 12 14:26:19 1999 ++++ coreutils-5.2.1/man/es/su.1 Thu Mar 18 17:05:55 2004 +@@ -47,13 +47,6 @@ + puede ser compilado para reportar fallo, y opcionalmente éxito en syslog. + .B su + intentará utilizar syslog. +-.PP +-Este programa no soporta el grupo "wheel", el cual restringe quien podrá +-ejecutar +-.B su +-hacia la cuenta de root (el superusuario) ya que esta política podría +-ayudar a los administradores de máquinas a facilitar un uso inadecuado a otros +-usuarios. + .SS OPCIONES + .TP + .I "\-c COMANDO, \-\-command=COMANDO" +@@ -118,22 +111,3 @@ + .I "\-\-version" + Escribe información sobre la versión en la salida estándar y acaba sin + provocar error. +- +-.SH Por que GNU no soporta el grupo "wheel" (por Richard Stallman) +-A veces, algunos listillos intentan hacerse con el poder total +-sobre el resto de usuarios. Por ejemplo, en 1984, un grupo de usuarios del +-laboratorio de Inteligencia Artificial del MIT decidieron tomar el poder +-cambiando el password de operador del sistema Twenex y manteniendolo secreto +-para el resto de usuarios. (De todas maneras, hubiera sido posible desbaratar +-la situación y devolver el control a los usuarios legítimos parcheando el +-kernel, pero no sabría como realizar esta operación en un sistema Unix.) +-.PP +-Sin embargo, casualmente alguien contó el secreto. Mediante el uso habitual de +-.B su +-una vez que alguien conoce el password de root puede contarselo al resto de +-usuarios. El grupo "wheel" hará que esto sea imposible, protegiendo así el poder +-de los superusuarios. +-.PP +-Yo estoy del lado de las masas, no de los superusuarios. Si eres de los que +-estan de acuerdo con los jefes y los administradores de sistemas en cualquier +-cosa que hagan, al principio encontrarás esta idea algo extraña. +diff -Nur coreutils-5.2.1.orig/man/fr/su.1 coreutils-5.2.1/man/fr/su.1 +--- coreutils-5.2.1.orig/man/fr/su.1 Sun Aug 10 12:00:00 2003 ++++ coreutils-5.2.1/man/fr/su.1 Thu Mar 18 17:05:55 2004 +@@ -54,13 +54,6 @@ + peut être compilé afin de fournir des rapports d'échec, et éventuellement + de réussite des tentatives d'utilisation de + .BR su . +-.PP +-Ce programme ne gère pas le "groupe wheel" utilisé pour restreindre +-l'accès par +-.B su +-au compte Super-Utilisateur, car il pourrait aider des administrateurs +-système fascistes à disposer d'un pouvoir incontrôlé +-sur les autres utilisateurs. + .SS OPTIONS + .TP + .I "\-c COMMANDE, \-\-command=COMMANDE" +@@ -119,25 +112,5 @@ + .I "\-\-version" + Afficher un numéro de version sur la sortie standard et se terminer normalement. + +-.SH Pourquoi GNU SU ne gère-t-il pas le groupe `wheel' (par Richard Stallman) +-Il peut arriver qu'un petit groupe d'utilisateurs essayent de s'approprier +-l'ensemble du système. Par exemple, en 1984, quelques utilisateurs du +-laboratoire d'I.A du MIT ont tentés de prendre le pouvoir en modifiant +-le mot de passe de l'opérateur sur le système Twenex, et en +-gardant ce mot de passe secret. (J'ai pu les en empêcher en modifiant le noyau, et +-restaurer ainsi les autres accès, mais je ne saurais pas en faire autant +-sous Unix). +-.PP +-Néanmoins, il arrive parfois que les chefs fournissent le mot +-de passe de root à un utilisateur ordinaire. +-Avec le mécanisme habituel de \fBsu\fP, +-une fois que quelqu'un connaît ce mot de passe, il peut le transmettre +-à ses amis. Le principe du "groupe wheel" rend ce partage impossible, +-ce qui renforce la puissance des chefs. +-.PP +-Je me situe du cote du peuple, pas du côté des chefs. Si vous avez l'habitude +-de soutenir les patrons et les administrateurs systèmes quoi qu'ils fassent, +-cette idée peut vous paraître étrange au premier abord. +- + .SH TRADUCTION + Christophe Blaess, 1997-2003. +diff -Nur coreutils-5.2.1.orig/man/hu/su.1 coreutils-5.2.1/man/hu/su.1 +--- coreutils-5.2.1.orig/man/hu/su.1 Sun Jul 9 14:19:12 2000 ++++ coreutils-5.2.1/man/hu/su.1 Thu Mar 18 17:05:55 2004 +@@ -151,33 +151,6 @@ + .B "\-\-version" + A program verziójáról ír ki információt a standard kimenetre, majd + sikeres visszatérési értékkel kilép. +-.SH Miért nem támogatja a GNU su a wheel csoportot? (Richard Stallman) +- +-Néha a rendszer fölötti teljes ellenõrzést egy néhány emberbõl +-álló csoport akarja kézbe venni. Például 1984-ben pár user a MIT AI +-laborban úgy döntött, hogy átveszik az irányítást a Twenex rendszer +-operátori jelszavának megváltoztatásával, és annak titokban tartásával. +-(A puccsot sikerült leverni, és a felhasználókat jogaikba visszahelyezni +-egy kernel patch segítségével, de Unix alatt ezt nem tudtam volna megcsinálni.) +-(A fordító megj.: a wheel csoportot ezzel a módszerrel könnyen +-önkényesen is leszûkíthetik a csoporttagok , így tulajdonképpen nincs sok értelme.) +-.PP +-Néha az uralmon levõk elárulják a root jelszót. A szokásos su +-mechanizmus szerint, ha valaki megtudja a root jelszót, és +-szimpatizál a többi közönséges felhasználóval, elárulhatja nekik +-is. A wheel csoport ezt lehetetlenné tenné, és így bebetonozná az +-uralmon levõ hatalmát. +-.PP +-Én a tömegek oldalán állok, nem az uralkodókén. Ha te mindig a +-fõnökök és a rendszergazdák oldalán állsz, bármit is tesznek, akkor +-valószínûleg furcsálni fogod ezt a hozzáállást. +-.PP +-A fordító megjegyzése: +-Valami jó azért mégis lenne a wheel csoportban: az, hogy ha a root +-jelszó kitudódna azzal nem tudna bármelyik felhasználó közvetlenül +-visszaélni. A wheel csoporthoz hasonló dolgot lehet elérni a +-.B sudo +-csomaggal. + .SH MEGJEGYZÉS + A hibákat a bug-sh-utils@gnu.org címen lehet jelenteni. + Az oldalt Ragnar Hojland Espinosa frissítette. +diff -Nur coreutils-5.2.1.orig/man/it/su.1 coreutils-5.2.1/man/it/su.1 +--- coreutils-5.2.1.orig/man/it/su.1 Mon Jul 1 23:09:38 2002 ++++ coreutils-5.2.1/man/it/su.1 Thu Mar 18 17:05:55 2004 +@@ -52,11 +52,6 @@ + .B su + può essere compilato per riportare tramite syslog gli errori, ed + eventualmente anche i successi che ottiene. +-.PP +-Questo programma non supporta un "gruppo wheel" che limita chi può fare +-.B su +-agli account del superuser, poiché ciò può aiutare amministratori di +-sistema "fascisti" a tenere un potere inautorizzato sugli altri utenti. + .SS OPZIONI + .TP + .I "\-c COMANDO, \-\-command=COMANDO" +@@ -117,21 +112,3 @@ + .I "\-\-version" + Stampa in standard output informazioni sulla versione e esce (con + successo). +-.SH Perché GNU su non supporta il gruppo wheel (di Richard Stallman) +-Qualche volta pochi utenti provano a tenere il potere assoluto sul +-resto degli utenti. Per esempio, nel 1984, alcuni utenti nel +-laboratorio di AI del MIT decisero impossessarsi del potere cambiando +-la password dell'operatore su un sistema Twenex e tenendola segreta a +-tutti gli altri (fui in grado di contrastare questo colpaccio e +-restituire il potere agli utenti ``patch-ando'' il kernel, ma non +-saprei come fare ciò in Unix). +-.PP +-Comunque, occasionalmente i sovrani lo fanno. Tramite l'usuale +-meccanismo su, una volta che qualcuno che simpatizzi con gli +-utenti normali, abbia imparato la password di root può dirla anche +-agli altri. La caratteristica del "gruppo wheel" renderebbe ciò +-impossibile, consolidando quindi il potere dei sovrani. +-.PP +-Io sono dalla parte delle masse, non da quella dei sovrani. Se tu sei +-abituato a sostenere i capi e gli amministratori di sistema in tutto +-quello che fanno, potresti trovare questa idea strana all'inizio. +diff -Nur coreutils-5.2.1.orig/man/ja/su.1 coreutils-5.2.1/man/ja/su.1 +--- coreutils-5.2.1.orig/man/ja/su.1 Sun Dec 14 16:06:54 2003 ++++ coreutils-5.2.1/man/ja/su.1 Thu Mar 18 17:05:55 2004 +@@ -83,12 +83,6 @@ + .B su + ¤¬¼ºÇÔ¤·¤¿¤È¤­ syslog ¤Ë¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¥³¥ó¥Ñ¥¤¥ë¤¹¤ë¤³¤È + ¤¬¤Ç¤­¤ë¡ÊÀ®¸ù¤ò¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤â¤Ç¤­¤ë¡Ë¡£ +-.PP +-¤³¤Î¥×¥í¥°¥é¥à¤Ï "wheel group" ¤Îµ¡Ç½¡Ê +-.B su +-¤Ë¤è¤Ã¤Æ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¥¢¥«¥¦¥ó¥È¤Ë¤Ê¤ì¤ë¥æ¡¼¥¶¤òÀ©¸Â¤¹¤ëµ¡Ç½¡Ë¤ò¥µ¥Ý¡¼ +-¥È¤·¤Ê¤¤¡£¤³¤ì¤ÏÀìÀ©Åª¤Ê¥·¥¹¥Æ¥à´ÉÍý¼Ô¤¬Â¾¤Î¥æ¡¼¥¶¡¼¤ËÉÔÅö¤Ê¸¢ÎϤò¿¶¤ë +-¤¨¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£ + .SS OPTIONS + .TP + .I "\-c COMMAND, \-\-command=COMMAND" +@@ -151,19 +145,3 @@ + .TP + .I "\-\-version" + ¥Ð¡¼¥¸¥ç¥ó¾ðÊó¤òɸ½à½ÐÎϤËɽ¼¨¤·¡¢¼Â¹ÔÀ®¸ù¤òÊÖ¤·¤Æ½ªÎ»¤¹¤ë¡£ +-.SH GNU su ¤Ç wheel ¥°¥ë¡¼¥×¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¤ï¤±¡ÊRichard Stallman¡Ë +-¤È¤­¤ª¤ê¡¢¾¯¿ô¤Î¥æ¡¼¥¶¡¼¤Ë¤è¤Ã¤Æ¡¢Â¾¤Î¥æ¡¼¥¶¡¼¤ËÂФ¹¤ëÁ´¸¢¤ò¾¸°®¤·¤è¤¦ +-¤È¤¹¤ë»î¤ß¤¬¤Ê¤µ¤ì¤ë¤³¤È¤¬¤¢¤ë¡£Î㤨¤Ð 1984 ǯ¡¢ MIT AI ¥é¥Ü¤Î¾¯¿ô¤Î¥æ¡¼ +-¥¶¡¼¤Ï Twenex ¥·¥¹¥Æ¥à¤Î¥ª¥Ú¥ì¡¼¥¿¡¼¥Ñ¥¹¥ï¡¼¥É¤ÎÊѹ¹¸¢¸Â¤ò¶¯Ã¥¤·¡¢¤³¤ì +-¤ò¾¤Î¥æ¡¼¥¶¡¼¤«¤éÈëÆ¿¤¹¤ë¤³¤È¤Ë·èÄꤷ¤¿¡Ê¤³¤ÎºÝ¤Ë¤Ï»ä¤Ï¤³¤Î¥¯¡¼¥Ç¥¿¡¼ +-¤Î΢¤ò¤«¤­¡¢¥«¡¼¥Í¥ë¤Ë¥Ñ¥Ã¥Á¤òÅö¤Æ¤Æ¸¢¸Â¤ò¼è¤êÊÖ¤¹¤³¤È¤ËÀ®¸ù¤·¤¿¡£¤·¤« +-¤·¤³¤ì¤¬ Unix ¤Ç¤¢¤Ã¤¿¤é¡¢»ä¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤ï¤«¤é¤Ê¤«¤Ã¤¿¤À¤í¤¦¡Ë¡£ +-.PP +-¤·¤«¤·¤Ê¤¬¤é¡¢»þ¤Ë¤ÏÀìÀ©¼Ô¤âÈëÌ©¤òϳ¤é¤¹¤â¤Î¤Ç¤¢¤ë¡£Ä̾ï¤Î su ¤Î¥á¥«¥Ë +-¥º¥à¤Ç¤Ï¡¢°ìÈ̥桼¥¶¡¼¤Î¦¤ËΩ¤Ä¼Ô¤¬ root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÃΤì¤Ð¡¢¤³¤ì¤ò +-¾¤Î¥æ¡¼¥¶¡¼¤Ë¤âÃΤ餻¤ë¤³¤È¤¬¤Ç¤­¤ë¡£¤·¤«¤· "wheel group" µ¡Ç½¤Ï¤³¤ì +-¤òÉÔ²Äǽ¤Ë¤·¡¢·ë²Ì¤È¤·¤ÆÀìÀ©¼Ôã¤Î¸¢¸Â¤ò¶¯¸Ç¤¿¤ë¤â¤Î¤Ë¤·¤Æ¤·¤Þ¤¦¡£ +-.PP +-»ä¤ÏÂç½°¤Î¦¤ËΩ¤Ä¤â¤Î¤Ç¤¢¤ê¡¢ÀìÀ©Åª¤ÊΩ¾ì¤Ë¤ÏÈ¿ÂФ¹¤ë¡£¤¢¤Ê¤¿¤Ï¥Ü¥¹¤ä +-¥·¥¹¥Æ¥à´ÉÍý¼Ô¤Î¤ä¤ê¸ý¤Ë½¾¤¦¤³¤È¤Ë´·¤ì¤Æ¤¤¤ë¤«¤âÃΤì¤Ê¤¤¤¬¡¢¤½¤Î¾ì¹ç¤Ï +-¤Þ¤º¤½¤Î¤³¤È¼«¿È¤òÉԻ׵Ĥ˻פ¦¤Ù¤­¤Ç¤Ï¤Ê¤¤¤À¤í¤¦¤«¡£ +diff -Nur coreutils-5.2.1.orig/man/pl/su.1 coreutils-5.2.1/man/pl/su.1 +--- coreutils-5.2.1.orig/man/pl/su.1 Tue Jun 20 16:07:31 2000 ++++ coreutils-5.2.1/man/pl/su.1 Thu Mar 18 17:05:55 2004 +@@ -78,8 +78,6 @@ + mo¿e zostaæ tak skompilowane, by raportowa³o nieudane, lub opcjonalnie + równie¿ udane próby zmiany id przy u¿yciu + .BR su . +-Jednak \fBsu\fP w wersji GNU nie sprawdza czy u¿ytkownik jest cz³onkiem grupy +-`wheel' -- patrz poni¿ej. + .SH OPCJE + .TP + .BR \-c " \fIpolecenie\fP, " \-\-command= \fIpolecenie +@@ -139,25 +137,6 @@ + .TP + .B \-\-version + Wy¶wietla numer wersji programu i koñczy pracê. +-.SH Dlaczego GNU `su' nie obs³uguje grupy `wheel' +- +-(Sekcjê tê napisa³ Richard Stallman) +- +-Czasami kilku u¿ytkowników usi³uje sprawowaæ nieograniczon± w³adzê nad +-pozosta³ymi. Na przyk³ad, w 1984, kilku u¿ytkowników w laboratorium AI MIT +-zdecydowa³o siê `przej±æ w³adzê' zmieniaj±c has³o operatora systemu Twenex +-i trzymaj±c je w tajemnicy przed wszystkimi innymi. (Uda³o mi siê +-udaremniæ ten zamach i przywróciæ w³adzê u¿ytkownikom ³ataj±c j±dro, lecz +-nie wiedzia³bym jak zrobiæ to w Uniksie.) +- +-Jednak, od czasu do czasu panuj±cy wyjawiaj± komu¶. Przy zwyk³ym +-mechanizmie `su', kto¶, kto pozna³ has³o root'a i sympatyzuje ze zwyk³ymi +-u¿ytkownikami, mo¿e przekazaæ je pozosta³ym. Funkcja "grupy wheel" +-uniemo¿liwia³aby to, i w ten sposób umacnia³a w³adzê rz±dz±cych. +- +-Jestem po stronie mas, nie po stronie rz±dz±cych. Je¿eli zwyk³e¶ popieraæ +-szefów i administratorów systemów we wszystkim, co robi±, podej¶cie to mo¿e +-pocz±tkowo wydaæ Ci siê dziwne. + .SH "ZG£ASZANIE B£ÊDÓW" + B³êdy proszê zg³aszaæ, w jêz.ang., do . + .SH COPYRIGHT