packaging: Require account validation with pam_unix.so if PAM enabled

With a current pam_rootok.so, it works only with `root` account. If the user is under `frrvty`, `frr` group, it gets the error: ``` % groups | grep -o -E "frrvty|frr" frrvty frr % vtysh -c 'end' vtysh_pam: Failed in account validation: Permission denied(6) ``` Checking the logs: ``` vtysh[23930]: pam_rootok(frr:account): root check failed ``` Let's require a valid user, instead of the root user only. Signed-off-by: Donatas Abraitis <[email protected]>
FRRouting · Jan 16, 2024 · f67c50f · f67c50f
1 parent 18257b5
commit f67c50f
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/debian/frr.pam b/debian/frr.pam
@@ -1,4 +1,4 @@
 # Any user may call vtysh but only those belonging to the group frrvty can
 # actually connect to the socket and use the program.
 auth	sufficient	pam_permit.so
-account	sufficient	pam_rootok.so
+account	sufficient	pam_unix.so
diff --git a/redhat/frr.pam b/redhat/frr.pam
@@ -4,8 +4,8 @@
 ##### if running frr as root:
 # Only allow root (and possibly wheel) to use this because enable access
 # is unrestricted.
-auth       sufficient   pam_rootok.so
-account    sufficient   pam_rootok.so
+auth	sufficient	pam_rootok.so
+account	sufficient	pam_unix.so
 
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth       sufficient   pam_wheel.so trust use_uid