- partially update from fedora, fixes test suite

[packages/coreutils.git] / coreutils-pam.patch

--- coreutils-6.7/src/Makefile.am.pam   2006-11-24 21:28:10.000000000 +0000
+++ coreutils-6.7/src/Makefile.am       2007-01-09 17:00:01.000000000 +0000
@@ -359,7 +359,7 @@
 uptime_LDADD += $(GETLOADAVG_LIBS)
 
 # for crypt
-su_LDADD += $(LIB_CRYPT)
+su_LDADD += $(LIB_CRYPT) $(LIB_PAM)
 
 # for various ACL functions
 copy_LDADD += $(LIB_ACL)
--- coreutils-6.10/src/su.c.orig        2007-11-25 14:23:31.000000000 +0100
+++ coreutils-6.10/src/su.c     2008-03-02 02:07:13.568059486 +0100
@@ -37,6 +37,16 @@
    restricts who can su to UID 0 accounts.  RMS considers that to
    be fascist.
 
+#ifdef USE_PAM
+
+   Actually, with PAM, su has nothing to do with whether or not a
+   wheel group is enforced by su.  RMS tries to restrict your access
+   to a su which implements the wheel group, but PAM considers that
+   to be fascist, and gives the user/sysadmin the opportunity to
+   enforce a wheel group by proper editing of /etc/pam.conf
+
+#endif
+
    Compile-time options:
    -DSYSLOG_SUCCESS    Log successful su's (by default, to root) with syslog.
    -DSYSLOG_FAILURE    Log failed su's (by default, to root) with syslog.
@@ -58,6 +68,15 @@
    prototype (returning `int') in <unistd.h>.  */
 #define getusershell _getusershell_sys_proto_
 
+#ifdef USE_PAM
+# include <signal.h>
+# include <sys/wait.h>
+# include <sys/fsuid.h>
+# include <unistd.h>
+# include <security/pam_appl.h>
+# include <security/pam_misc.h>
+#endif /* USE_PAM */
+
 #include "system.h"
 #include "getpass.h"

@@ -130,10 +130,17 @@
 /* The user to become if none is specified.  */
 #define DEFAULT_USER "root"
 
+#ifndef USE_PAM
 char *crypt (char const *key, char const *salt);
+#endif
 
-static void run_shell (char const *, char const *, char **, size_t)
+static void run_shell (char const *, char const *, char **, size_t,
+               const struct passwd *)
+#ifdef USE_PAM
+       ;
+#else
      ATTRIBUTE_NORETURN;
+#endif
 
 /* If true, pass the `-f' option to the subshell.  */
 static bool fast_startup;
@@ -215,7 +241,26 @@
 }
 #endif
 
+#ifdef USE_PAM
+static pam_handle_t *pamh = NULL;
+static int retval;
+static struct pam_conv conv = {
+  misc_conv,
+  NULL
+};
+
+#define PAM_BAIL_P if (retval) { \
+  pam_end(pamh, PAM_SUCCESS); \
+  return 0; \
+}
+#define PAM_BAIL_P_VOID if (retval) {          \
+  pam_end(pamh, PAM_SUCCESS);                  \
+return;                                                \
+}
+#endif
+
 /* Ask the user for a password.
+   If PAM is in use, let PAM ask for the password if necessary.
    Return true if the user gives the correct password for entry PW,
    false if not.  Return true without asking for a password if run by UID 0
    or if PW has an empty password.  */
@@ -223,6 +268,44 @@
 static bool
 correct_password (const struct passwd *pw)
 {
+#ifdef USE_PAM
+  struct passwd *caller;
+  char *tty_name, *ttyn;
+  retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
+  PAM_BAIL_P;
+
+  if (getuid() != 0 && !isatty(0)) {
+       fprintf(stderr, _("standard in must be a tty\n"));
+       exit(1);
+  }
+
+  caller = getpwuid(getuid());
+  if(caller != NULL && caller->pw_name != NULL) {
+         retval = pam_set_item(pamh, PAM_RUSER, caller->pw_name);
+         PAM_BAIL_P;
+  }
+
+  ttyn = ttyname(0);
+  if (ttyn) {
+    if (strncmp(ttyn, "/dev/", 5) == 0)
+       tty_name = ttyn+5;
+    else
+       tty_name = ttyn;
+    retval = pam_set_item(pamh, PAM_TTY, tty_name);
+    PAM_BAIL_P;
+  }
+  retval = pam_authenticate(pamh, 0);
+  PAM_BAIL_P;
+  retval = pam_acct_mgmt(pamh, 0);
+  if (retval == PAM_NEW_AUTHTOK_REQD && getuid()) {
+    /* password has expired.  Offer option to change it. */
+    retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+    PAM_BAIL_P;
+  }
+  PAM_BAIL_P;
+  /* must be authenticated if this point was reached */
+  return 1;
+#else /* !USE_PAM */
   char *unencrypted, *encrypted, *correct;
 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
@@ -247,6 +330,7 @@
   encrypted = crypt (unencrypted, correct);
   memset (unencrypted, 0, strlen (unencrypted));
   return STREQ (encrypted, correct);
+#endif /* !USE_PAM */
 }
 
 /* Update `environ' for the new shell based on PW, with SHELL being
@@ -260,12 +344,18 @@
       /* Leave TERM unchanged.  Set HOME, SHELL, USER, LOGNAME, PATH.
          Unset all other environment variables.  */
       char const *term = getenv ("TERM");
+      char const *display = getenv ("DISPLAY");
+      char const *xauthority = getenv ("XAUTHORITY");
       if (term)
         term = xstrdup (term);
       environ = xmalloc ((6 + !!term) * sizeof (char *));
       environ[0] = NULL;
       if (term)
         xsetenv ("TERM", term);
+      if (display)
+        xsetenv ("DISPLAY", display);
+      if (xauthority)
+        xsetenv ("XAUTHORITY", xauthority);
       xsetenv ("HOME", pw->pw_dir);
       xsetenv ("SHELL", shell);
       xsetenv ("USER", pw->pw_name);
@@ -373,8 +373,13 @@
 {
 #ifdef HAVE_INITGROUPS
   errno = 0;
-  if (initgroups (pw->pw_name, pw->pw_gid) == -1)
+  if (initgroups (pw->pw_name, pw->pw_gid) == -1) {
+#ifdef USE_PAM
+      pam_close_session(pamh, 0);
+      pam_end(pamh, PAM_ABORT);
+#endif
     error (EXIT_CANCELED, errno, _("cannot set groups"));
+  }
   endgrent ();
 #endif
   if (setgid (pw->pw_gid))
@@ -308,6 +403,31 @@
     error (EXIT_FAILURE, errno, _("cannot set user id"));
 }
 
+#ifdef USE_PAM
+static int caught=0;
+/* Signal handler for parent process later */
+static void su_catch_sig(int sig)
+{
+  ++caught;
+}
+
+int
+pam_copyenv (pam_handle_t *pamh)
+{
+  char **env;
+
+  env = pam_getenvlist(pamh);
+  if(env) {
+    while(*env) {
+       if (putenv (*env))
+         xalloc_die ();
+       env++;
+    }
+  }
+  return(0);
+}
+#endif
+
 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
    If COMMAND is nonzero, pass it to the shell with the -c option.
    Pass ADDITIONAL_ARGS to the shell as more arguments; there
@@ -315,17 +435,49 @@
 
 static void
 run_shell (char const *shell, char const *command, char **additional_args,
-           size_t n_additional_args)
+           size_t n_additional_args, const struct passwd *pw)
 {
   size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1;
   char const **args = xnmalloc (n_args, sizeof *args);
   size_t argno = 1;
+#ifdef USE_PAM
+  int child;
+  sigset_t ourset;
+  int status;
+
+  retval = pam_open_session(pamh,0);
+  if (retval != PAM_SUCCESS) {
+    fprintf (stderr, _("could not open session\n"));
+    exit (1);
+  }
+
+/* do this at the last possible moment, because environment variables may
+   be passed even in the session phase
+*/
+  if(pam_copyenv(pamh) != PAM_SUCCESS)
+     fprintf (stderr, _("error copying PAM environment\n"));
+  
+  /* Credentials should be set in the parent */ 
+  if (pam_setcred(pamh, PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
+    pam_close_session(pamh, 0);
+    fprintf(stderr, _("could not set PAM credentials\n"));
+    exit(1);
+  }
+
+  child = fork();
+  if (child == 0) {  /* child shell */
+  change_identity (pw);
+  pam_end(pamh, 0);
+#endif
 
   if (simulate_login)
     {
       char *arg0;
       char *shell_basename;
 
+      if(chdir(pw->pw_dir))
+             error(0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+
       shell_basename = last_component (shell);
       arg0 = xmalloc (strlen (shell_basename) + 2);
       arg0[0] = '-';
@@ -350,6 +502,66 @@
     error (0, errno, "%s", shell);
     exit (exit_status);
   }
+#ifdef USE_PAM
+  } else if (child == -1) {
+      fprintf(stderr, _("can not fork user shell: %s"), strerror(errno));
+      pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+      pam_close_session(pamh, 0);
+      pam_end(pamh, PAM_ABORT);
+      exit(1);
+  }
+  /* parent only */
+  sigfillset(&ourset);
+  if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
+    fprintf(stderr, _("%s: signal malfunction\n"), PROGRAM_NAME);
+    caught = 1;
+  }
+  if (!caught) {
+    struct sigaction action;
+    action.sa_handler = su_catch_sig;
+    sigemptyset(&action.sa_mask);
+    action.sa_flags = 0;
+    sigemptyset(&ourset);
+    if (sigaddset(&ourset, SIGTERM)
+        || sigaddset(&ourset, SIGALRM)
+        || sigaction(SIGTERM, &action, NULL)
+        || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
+      fprintf(stderr, _("%s: signal masking malfunction\n"), PROGRAM_NAME);
+      caught = 1;
+    }
+  }
+  if (!caught) {
+    do {
+      int pid;
+
+      pid = waitpid(-1, &status, WUNTRACED);
+
+      if (WIFSTOPPED(status)) {
+          kill(getpid(), SIGSTOP);
+          /* once we get here, we must have resumed */
+          kill(pid, SIGCONT);
+      }
+    } while (WIFSTOPPED(status));
+  }
+
+  if (caught) {
+    fprintf(stderr, _("\nSession terminated, killing shell..."));
+    kill (child, SIGTERM);
+  }
+  /* Not checking retval on this because we need to call close session */
+  pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+  retval = pam_close_session(pamh, 0);
+  PAM_BAIL_P_VOID;
+  retval = pam_end(pamh, PAM_SUCCESS);
+  PAM_BAIL_P_VOID;
+  if (caught) {
+    sleep(2);
+    kill(child, SIGKILL);
+    fprintf(stderr, _(" ...killed.\n"));
+    exit(-1);
+  }
+  exit (WEXITSTATUS(status));
+#endif /* USE_PAM */
 }
 
 /* Return true if SHELL is a restricted shell (one not returned by
@@ -714,9 +714,9 @@
   shell = xstrdup (shell ? shell : pw->pw_shell);
   modify_environment (pw, shell);
 
+#ifndef USE_PAM
   change_identity (pw);
-  if (simulate_login && chdir (pw->pw_dir) != 0)
-    error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+#endif
 
   /* error() flushes stderr, but does not check for write failure.
      Normally, we would catch this via our atexit() hook of
@@ -726,5 +726,5 @@
   if (ferror (stderr))
     exit (EXIT_CANCELED);
 
-  run_shell (shell, command, argv + optind, MAX (0, argc - optind));
+  run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw);
 }
--- coreutils-6.7/doc/coreutils.texi.pam        2006-10-27 15:30:48.000000000 +0100
+++ coreutils-6.7/doc/coreutils.texi    2007-01-09 17:00:01.000000000 +0000
@@ -13395,8 +13395,11 @@
 @findex syslog
 @command{su} can optionally be compiled to use @code{syslog} to report
 failed, and optionally successful, @command{su} attempts.  (If the system
-supports @code{syslog}.)  However, GNU @command{su} does not check if the
-user is a member of the @code{wheel} group; see below.
+supports @code{syslog}.)
+
+This version of @command{su} has support for using PAM for
+authentication.  You can edit @file{/etc/pam.d/su} to customize its
+behaviour.
 
 The program accepts the following options.  Also see @ref{Common options}.
 
@@ -11892,32 +11892,6 @@
 the exit status of the subshell otherwise
 @end display
 
-@cindex wheel group, not supported
-@cindex group wheel, not supported
-@cindex fascism
-@subsection Why GNU @command{su} does not support the @samp{wheel} group
-
-(This section is by Richard Stallman.)
-
-@cindex Twenex
-@cindex MIT AI lab
-Sometimes a few of the users try to hold total power over all the
-rest.  For example, in 1984, a few users at the MIT AI lab decided to
-seize power by changing the operator password on the Twenex system and
-keeping it secret from everyone else.  (I was able to thwart this coup
-and give power back to the users by patching the kernel, but I
-wouldn't know how to do that in Unix.)
-
-However, occasionally the rulers do tell someone.  Under the usual
-@command{su} mechanism, once someone learns the root password who
-sympathizes with the ordinary users, he or she can tell the rest.  The
-``wheel group'' feature would make this impossible, and thus cement the
-power of the rulers.
-
-I'm on the side of the masses, not that of the rulers.  If you are
-used to supporting the bosses and sysadmins in whatever they do, you
-might find this idea strange at first.
-
 
 @node Delaying
 @chapter Delaying
--- coreutils-6.10/configure.ac.orig    2008-01-13 09:14:23.000000000 +0100
+++ coreutils-6.10/configure.ac 2008-03-02 02:08:10.027276914 +0100
@@ -44,6 +44,13 @@
 gl_INIT
 coreutils_MACROS
 
+dnl Give the chance to enable PAM
+AC_ARG_ENABLE(pam, dnl
+[  --enable-pam              Enable use of the PAM libraries],
+AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
+LIB_PAM="-ldl -lpam -lpam_misc"
+)
+
 AC_FUNC_FORK
 
 optional_bin_progs=
@@ -332,6 +339,13 @@
 AM_GNU_GETTEXT([external], [need-formatstring-macros])
 AM_GNU_GETTEXT_VERSION([0.15])
 
+# just in case we want PAM
+AC_SUBST(LIB_PAM)
+# with PAM su doesn't need libcrypt
+if test -n "$LIB_PAM" ; then
+  LIB_CRYPT=
+fi
+
 AC_CONFIG_FILES(
   Makefile
   doc/Makefile
--- coreutils-6.10/po/pl.po.orig        2008-01-16 21:22:08.000000000 +0100
+++ coreutils-6.10/po/pl.po     2008-03-02 02:09:23.671473657 +0100
@@ -8875,6 +8875,49 @@
 msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n"
 msgstr "Składnia: %s [OPCJA]... [-] [UŻYTKOWNIK [ARGUMENT]...]\n"
 
+#: src/su.c:300
+msgid "standard in must be a tty\n\n"
+msgstr "standardowe wejście musi być terminalem\n"
+
+#: src/su.c:425
+msgid "could not open session\n"
+msgstr "nie można otworzyć sesji\n"
+
+#: src/su.c:433
+msgid "error copying PAM environment\n"
+msgstr "błąd podczas kopiowania środowiska PAM\n"
+
+#: src/su.c:450
+msgid "could not set PAM credentials\n"
+msgstr "błąd podczas ustawiania uwierzytelnienia PAM\n"
+
+#: src/su.c:471
+#, c-format
+msgid "cannot fork user shell: %s"
+msgstr "nie można utworzyć procesu powłoki użytkownika: %s"
+
+#: src/su.c:477
+#, c-format
+msgid "%s: signal malfunction\n"
+msgstr "%s: błędne działanie sygnałów\n"
+
+#: src/su.c:490
+#, c-format
+msgid "%s: signal masking malfunction\n"
+msgstr "%s: błędne działanie maskowania sygnałów\n"
+
+#: src/su.c:509
+msgid ""
+"\n"
+"Session terminated, killing shell..."
+msgstr ""
+"\n"
+"Sesja zakończona, zabijanie powłoki..."
+
+#: src/su.c:519
+msgid " killed.\n"
+msgstr " zabito.\n"
+
 #: src/su.c:382
 msgid ""
 "Change the effective user id and group id to that of USER.\n"
diff -Nur coreutils-5.2.1.orig/man/es/su.1 coreutils-5.2.1/man/es/su.1
--- coreutils-5.2.1.orig/man/es/su.1    Mon Apr 12 14:26:19 1999
+++ coreutils-5.2.1/man/es/su.1 Thu Mar 18 17:05:55 2004
@@ -47,13 +47,6 @@
 puede ser compilado para reportar fallo, y opcionalmente éxito en syslog.
 .B su
 intentará utilizar syslog.
-.PP
-Este programa no soporta el grupo "wheel", el cual restringe quien podrá
-ejecutar
-.B su
-hacia la cuenta de root (el superusuario) ya que esta política podría
-ayudar a los administradores de máquinas a facilitar un uso inadecuado a otros
-usuarios.
 .SS OPCIONES
 .TP
 .I "\-c COMANDO, \-\-command=COMANDO"
@@ -118,22 +111,3 @@
 .I "\-\-version"
 Escribe información sobre la versión en  la  salida estándar y acaba sin
 provocar error.
-
-.SH Por que GNU no soporta el grupo "wheel" (por Richard Stallman)
-A veces, algunos listillos intentan hacerse con el poder total
-sobre el resto de usuarios. Por ejemplo, en 1984, un grupo de usuarios del
-laboratorio de Inteligencia Artificial del MIT decidieron tomar el poder
-cambiando el password de operador del sistema Twenex y manteniendolo secreto
-para el resto de usuarios. (De todas maneras, hubiera sido posible desbaratar
-la situación y devolver el control a los usuarios legítimos parcheando el
-kernel, pero no sabría como realizar esta operación en un sistema Unix.)
-.PP
-Sin embargo, casualmente alguien contó el secreto. Mediante el uso habitual de
-.B su
-una vez que alguien conoce el password de root puede contarselo al resto de 
-usuarios. El grupo "wheel" hará que esto sea imposible, protegiendo así el poder
-de los superusuarios.
-.PP
-Yo estoy del lado de las masas, no de los superusuarios. Si eres de los que
-estan de acuerdo con los jefes y los administradores de sistemas en cualquier
-cosa que hagan, al principio encontrarás esta idea algo extraña.
diff -Nur coreutils-5.2.1.orig/man/fr/su.1 coreutils-5.2.1/man/fr/su.1
--- coreutils-5.2.1.orig/man/fr/su.1    Sun Aug 10 12:00:00 2003
+++ coreutils-5.2.1/man/fr/su.1 Thu Mar 18 17:05:55 2004
@@ -54,13 +54,6 @@
 peut être compilé afin de fournir des rapports d'échec, et éventuellement
 de réussite des tentatives d'utilisation de
 .BR su .
-.PP
-Ce programme ne gère pas le "groupe wheel" utilisé pour restreindre
-l'accès par 
-.B su
-au compte Super-Utilisateur, car il pourrait aider des administrateurs
-système fascistes à disposer d'un pouvoir incontrôlé
-sur les autres utilisateurs.
 .SS OPTIONS
 .TP
 .I "\-c COMMANDE, \-\-command=COMMANDE"
@@ -119,25 +112,5 @@
 .I "\-\-version"
 Afficher un numéro de version sur la sortie standard et se terminer normalement.
 
-.SH Pourquoi GNU SU ne gère-t-il pas le groupe `wheel' (par Richard Stallman)
-Il peut arriver qu'un petit groupe d'utilisateurs essayent de s'approprier
-l'ensemble du système. Par exemple, en 1984, quelques utilisateurs du
-laboratoire d'I.A du MIT ont tentés de prendre le pouvoir en modifiant
-le mot de passe de l'opérateur sur le système Twenex, et en
-gardant ce mot de passe secret. (J'ai pu les en empêcher en modifiant le noyau, et
-restaurer ainsi les autres accès, mais je ne saurais pas en faire autant
-sous Unix).
-.PP
-Néanmoins, il arrive parfois que les chefs fournissent le mot
-de passe de root à un utilisateur ordinaire.
-Avec le mécanisme habituel de \fBsu\fP,
-une fois que quelqu'un connaît ce mot de passe, il peut le transmettre
-à ses amis. Le principe du "groupe wheel" rend ce partage impossible,
-ce qui renforce la puissance des chefs.
-.PP
-Je me situe du cote du peuple, pas du côté des chefs. Si vous avez l'habitude
-de soutenir les patrons et les administrateurs systèmes quoi qu'ils fassent,
-cette idée peut vous paraître étrange au premier abord.
-
 .SH TRADUCTION
 Christophe Blaess, 1997-2003.
diff -Nur coreutils-5.2.1.orig/man/hu/su.1 coreutils-5.2.1/man/hu/su.1
--- coreutils-5.2.1.orig/man/hu/su.1    Sun Jul  9 14:19:12 2000
+++ coreutils-5.2.1/man/hu/su.1 Thu Mar 18 17:05:55 2004
@@ -151,33 +151,6 @@
 .B "\-\-version"
 A program verziójáról ír ki információt a standard kimenetre, majd 
 sikeres visszatérési értékkel kilép.
-.SH Miért nem támogatja a GNU su a wheel csoportot? (Richard Stallman)
-
-Néha a rendszer fölötti teljes ellenõrzést egy néhány emberbõl 
-álló csoport akarja kézbe venni. Például 1984-ben pár user a MIT AI
-laborban úgy döntött, hogy átveszik az irányítást a Twenex rendszer
-operátori jelszavának megváltoztatásával, és annak titokban tartásával. 
-(A puccsot sikerült leverni, és a felhasználókat jogaikba visszahelyezni 
-egy kernel patch segítségével, de Unix alatt ezt nem tudtam volna megcsinálni.)
-(A fordító megj.: a wheel csoportot ezzel a módszerrel könnyen
-önkényesen is leszûkíthetik a csoporttagok , így tulajdonképpen nincs sok értelme.)
-.PP
-Néha az uralmon levõk elárulják a root jelszót. A szokásos su 
-mechanizmus szerint, ha valaki megtudja a root jelszót, és 
-szimpatizál a többi közönséges felhasználóval, elárulhatja nekik 
-is. A wheel csoport ezt lehetetlenné tenné, és így bebetonozná az 
-uralmon levõ hatalmát.
-.PP
-Én a tömegek oldalán állok, nem az uralkodókén. Ha te mindig a 
-fõnökök és a rendszergazdák oldalán állsz, bármit is tesznek, akkor 
-valószínûleg furcsálni fogod ezt a hozzáállást.
-.PP
-A fordító megjegyzése: 
-Valami jó azért mégis lenne a wheel csoportban: az, hogy ha a root 
-jelszó kitudódna azzal nem tudna bármelyik felhasználó közvetlenül 
-visszaélni. A wheel csoporthoz hasonló dolgot lehet elérni a
-.B sudo
-csomaggal.
 .SH MEGJEGYZÉS
 A hibákat a bug-sh-utils@gnu.org címen lehet jelenteni.
 Az oldalt Ragnar Hojland Espinosa <ragnar@macula.net> frissítette.
diff -Nur coreutils-5.2.1.orig/man/it/su.1 coreutils-5.2.1/man/it/su.1
--- coreutils-5.2.1.orig/man/it/su.1    Mon Jul  1 23:09:38 2002
+++ coreutils-5.2.1/man/it/su.1 Thu Mar 18 17:05:55 2004
@@ -52,11 +52,6 @@
 .B su
 può essere compilato per riportare tramite syslog gli errori, ed
 eventualmente anche i successi che ottiene.
-.PP
-Questo programma non supporta un "gruppo wheel" che limita chi può fare
-.B su
-agli account del superuser, poiché ciò può aiutare amministratori di
-sistema "fascisti" a tenere un potere inautorizzato sugli altri utenti.
 .SS OPZIONI
 .TP
 .I "\-c COMANDO, \-\-command=COMANDO"
@@ -117,21 +112,3 @@
 .I "\-\-version"
 Stampa in standard output informazioni sulla versione e esce (con
 successo). 
-.SH Perché GNU su non supporta il gruppo wheel (di Richard Stallman)
-Qualche volta pochi utenti provano a tenere il potere assoluto sul
-resto degli utenti. Per esempio, nel 1984, alcuni utenti nel
-laboratorio di AI del MIT decisero impossessarsi del potere cambiando
-la password dell'operatore su un sistema Twenex e tenendola segreta a
-tutti gli altri (fui in grado di contrastare questo colpaccio e
-restituire il potere agli utenti ``patch-ando'' il kernel, ma non
-saprei come fare ciò in Unix).
-.PP
-Comunque, occasionalmente i sovrani lo fanno. Tramite l'usuale
-meccanismo  su, una volta che qualcuno che simpatizzi con gli
-utenti normali, abbia imparato la password di root può dirla anche
-agli altri. La caratteristica del "gruppo wheel" renderebbe ciò
-impossibile, consolidando quindi il potere dei sovrani.
-.PP
-Io sono dalla parte delle masse, non da quella dei sovrani. Se tu sei
-abituato a sostenere i capi e gli amministratori di sistema in tutto
-quello che fanno, potresti trovare questa idea strana all'inizio.
diff -Nur coreutils-5.2.1.orig/man/ja/su.1 coreutils-5.2.1/man/ja/su.1
--- coreutils-5.2.1.orig/man/ja/su.1    Sun Dec 14 16:06:54 2003
+++ coreutils-5.2.1/man/ja/su.1 Thu Mar 18 17:05:55 2004
@@ -83,12 +83,6 @@
 .B su
 ¤¬¼ºÇÔ¤·¤¿¤È¤­ syslog ¤Ë¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¥³¥ó¥Ñ¥¤¥ë¤¹¤ë¤³¤È
 ¤¬¤Ç¤­¤ë¡ÊÀ®¸ù¤ò¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤â¤Ç¤­¤ë¡Ë¡£
-.PP
-¤³¤Î¥×¥í¥°¥é¥à¤Ï "wheel group" ¤Îµ¡Ç½¡Ê
-.B su
-¤Ë¤è¤Ã¤Æ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¥¢¥«¥¦¥ó¥È¤Ë¤Ê¤ì¤ë¥æ¡¼¥¶¤òÀ©¸Â¤¹¤ëµ¡Ç½¡Ë¤ò¥µ¥Ý¡¼
-¥È¤·¤Ê¤¤¡£¤³¤ì¤ÏÀìÀ©Åª¤Ê¥·¥¹¥Æ¥à´ÉÍý¼Ô¤¬Â¾¤Î¥æ¡¼¥¶¡¼¤ËÉÔÅö¤Ê¸¢ÎϤò¿¶¤ë
-¤¨¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£
 .SS OPTIONS
 .TP
 .I "\-c COMMAND, \-\-command=COMMAND"
@@ -151,19 +145,3 @@
 .TP
 .I "\-\-version"
 ¥Ð¡¼¥¸¥ç¥ó¾ðÊó¤òɸ½à½ÐÎϤËɽ¼¨¤·¡¢¼Â¹ÔÀ®¸ù¤òÊÖ¤·¤Æ½ªÎ»¤¹¤ë¡£
-.SH GNU su ¤Ç wheel ¥°¥ë¡¼¥×¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¤ï¤±¡ÊRichard Stallman¡Ë
-¤È¤­¤ª¤ê¡¢¾¯¿ô¤Î¥æ¡¼¥¶¡¼¤Ë¤è¤Ã¤Æ¡¢Â¾¤Î¥æ¡¼¥¶¡¼¤ËÂФ¹¤ëÁ´¸¢¤ò¾¸°®¤·¤è¤¦
-¤È¤¹¤ë»î¤ß¤¬¤Ê¤µ¤ì¤ë¤³¤È¤¬¤¢¤ë¡£Î㤨¤Ð 1984 ǯ¡¢ MIT AI ¥é¥Ü¤Î¾¯¿ô¤Î¥æ¡¼
-¥¶¡¼¤Ï Twenex ¥·¥¹¥Æ¥à¤Î¥ª¥Ú¥ì¡¼¥¿¡¼¥Ñ¥¹¥ï¡¼¥É¤ÎÊѹ¹¸¢¸Â¤ò¶¯Ã¥¤·¡¢¤³¤ì
-¤ò¾¤Î¥æ¡¼¥¶¡¼¤«¤éÈëÆ¿¤¹¤ë¤³¤È¤Ë·èÄꤷ¤¿¡Ê¤³¤ÎºÝ¤Ë¤Ï»ä¤Ï¤³¤Î¥¯¡¼¥Ç¥¿¡¼
-¤Î΢¤ò¤«¤­¡¢¥«¡¼¥Í¥ë¤Ë¥Ñ¥Ã¥Á¤òÅö¤Æ¤Æ¸¢¸Â¤ò¼è¤êÊÖ¤¹¤³¤È¤ËÀ®¸ù¤·¤¿¡£¤·¤«
-¤·¤³¤ì¤¬ Unix ¤Ç¤¢¤Ã¤¿¤é¡¢»ä¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤ï¤«¤é¤Ê¤«¤Ã¤¿¤À¤í¤¦¡Ë¡£
-.PP
-¤·¤«¤·¤Ê¤¬¤é¡¢»þ¤Ë¤ÏÀìÀ©¼Ô¤âÈëÌ©¤òϳ¤é¤¹¤â¤Î¤Ç¤¢¤ë¡£Ä̾ï¤Î su ¤Î¥á¥«¥Ë
-¥º¥à¤Ç¤Ï¡¢°ìÈ̥桼¥¶¡¼¤Î¦¤ËΩ¤Ä¼Ô¤¬ root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÃΤì¤Ð¡¢¤³¤ì¤ò
-¾¤Î¥æ¡¼¥¶¡¼¤Ë¤âÃΤ餻¤ë¤³¤È¤¬¤Ç¤­¤ë¡£¤·¤«¤· "wheel group" µ¡Ç½¤Ï¤³¤ì
-¤òÉÔ²Äǽ¤Ë¤·¡¢·ë²Ì¤È¤·¤ÆÀìÀ©¼Ôã¤Î¸¢¸Â¤ò¶¯¸Ç¤¿¤ë¤â¤Î¤Ë¤·¤Æ¤·¤Þ¤¦¡£
-.PP
-»ä¤ÏÂç½°¤Î¦¤ËΩ¤Ä¤â¤Î¤Ç¤¢¤ê¡¢ÀìÀ©Åª¤ÊΩ¾ì¤Ë¤ÏÈ¿ÂФ¹¤ë¡£¤¢¤Ê¤¿¤Ï¥Ü¥¹¤ä
-¥·¥¹¥Æ¥à´ÉÍý¼Ô¤Î¤ä¤ê¸ý¤Ë½¾¤¦¤³¤È¤Ë´·¤ì¤Æ¤¤¤ë¤«¤âÃΤì¤Ê¤¤¤¬¡¢¤½¤Î¾ì¹ç¤Ï
-¤Þ¤º¤½¤Î¤³¤È¼«¿È¤òÉԻ׵Ĥ˻פ¦¤Ù¤­¤Ç¤Ï¤Ê¤¤¤À¤í¤¦¤«¡£
diff -Nur coreutils-5.2.1.orig/man/pl/su.1 coreutils-5.2.1/man/pl/su.1
--- coreutils-5.2.1.orig/man/pl/su.1    Tue Jun 20 16:07:31 2000
+++ coreutils-5.2.1/man/pl/su.1 Thu Mar 18 17:05:55 2004
@@ -78,8 +78,6 @@
 mo¿e zostaæ tak skompilowane, by raportowa³o nieudane, lub opcjonalnie
 równie¿ udane próby zmiany id przy u¿yciu
 .BR su .
-Jednak \fBsu\fP w wersji GNU nie sprawdza czy u¿ytkownik jest cz³onkiem grupy
-`wheel' -- patrz poni¿ej.
 .SH OPCJE
 .TP
 .BR \-c " \fIpolecenie\fP, " \-\-command= \fIpolecenie
@@ -139,25 +137,6 @@
 .TP
 .B \-\-version
 Wy¶wietla numer wersji programu i koñczy pracê.
-.SH Dlaczego GNU `su' nie obs³uguje grupy `wheel'
-
-(Sekcjê tê napisa³ Richard Stallman)
-
-Czasami kilku u¿ytkowników usi³uje sprawowaæ nieograniczon± w³adzê nad
-pozosta³ymi. Na przyk³ad, w 1984, kilku u¿ytkowników w laboratorium AI MIT
-zdecydowa³o siê `przej±æ w³adzê' zmieniaj±c has³o operatora systemu Twenex
-i trzymaj±c je w tajemnicy przed wszystkimi innymi. (Uda³o mi siê
-udaremniæ ten zamach i przywróciæ w³adzê u¿ytkownikom ³ataj±c j±dro, lecz
-nie wiedzia³bym jak zrobiæ to w Uniksie.)
-
-Jednak, od czasu do czasu panuj±cy wyjawiaj± komu¶. Przy zwyk³ym
-mechanizmie `su', kto¶, kto pozna³ has³o root'a i sympatyzuje ze zwyk³ymi
-u¿ytkownikami, mo¿e przekazaæ je pozosta³ym. Funkcja "grupy wheel"
-uniemo¿liwia³aby to, i w ten sposób umacnia³a w³adzê rz±dz±cych.
-
-Jestem po stronie mas, nie po stronie rz±dz±cych. Je¿eli zwyk³e¶ popieraæ
-szefów i administratorów systemów we wszystkim, co robi±, podej¶cie to mo¿e
-pocz±tkowo wydaæ Ci siê dziwne.
 .SH "ZG£ASZANIE B£ÊDÓW"
 B³êdy proszê zg³aszaæ, w jêz.ang., do <bug-sh-utils@gnu.org>.
 .SH COPYRIGHT