libpamtest: Test that use of su is disallowed

.github/workflows/pam.yml

@@ -81,9 +81,12 @@ jobs:
           sudo tests/test -t 5 -r 0
           echo '[*] Test 10'
           sudo tests/test -t 6 -r 0
+          # Anyone can use su
+          echo '[*] Test 11'
+          tests/test -t 7 -r 0
       - name: Harden PAM
         run: |
-          ansible-playbook harden.yml --tags pam --skip-tags slackware,centos
+          ansible-playbook harden.yml --tags pam --skip-tags slackware
           sudo pam-auth-update --enable access
           # Re-create common-auth-matrix
           sudo rm -v /etc/pam.d/common-auth-matrix
@@ -92,6 +95,8 @@ jobs:
         run: |
           # Login for "nobody" should be blocked by hardened configuration even with a valid password
           sudo tests/test -t 6 -r 2
+          # Use of su should be denied
+          tests/test -t 7 -r 2
       - name: chmod /var/log/auth.log
         run: sudo chmod -c 644 /var/log/auth.log
       - name: Archive auth.log

tests/pamtests.yml

@@ -61,21 +61,24 @@
     # authentication should fail as pam_matrix is not yet in use
     - name: Test login:auth root login against pam_unix
       ansible.builtin.command: "{{ tempdir_1.path }}/test -t 1 -r 2"
-    - name: Switch pam_auth to pam_matrix in /etc/pam.d/common-auth-matrix
+    - name: Switch pam_unix to pam_matrix in /etc/pam.d/common-auth-matrix
       tags: setup
       ansible.builtin.replace:
         path: /etc/pam.d/common-auth-matrix
         regexp: '^(auth\s+\[success=[0-9]+ default=ignore\]\s+)pam_unix\.so.*$'
         replace: '\1/usr/lib/{{ ansible_architecture }}-linux-gnu/pam_wrapper/pam_matrix.so passdb=/tmp/passdb verbose'
         validate: '/bin/grep "^auth\s\+\[success=[0-9]\+ default=ignore\]\s\+.*pam_matrix\.so.*$" %s'
       become: yes
-    - name: Make login use common-auth-matrix
+    - name: Make login & su use common-auth-matrix
       tags: setup
       ansible.builtin.replace:
-        path: /etc/pam.d/login
+        path: '{{ item }}'
         regexp: '^(@include common-auth).*$'
         replace: '\1-matrix'
         validate: '/bin/grep "^@include common-auth-matrix$" %s'
+      with_items:
+        - /etc/pam.d/login
+        - /etc/pam.d/su
       become: yes
     # should fail because of pam_securetty
     - name: Test login:auth root login blocked by pam_securetty

tests/test.c

@@ -2,16 +2,7 @@
 #include <stddef.h>
 #include <setjmp.h>
 #include <cmocka.h>
-
-/*
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-*/
 #include <libpamtest.h>
-
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
@@ -78,6 +69,26 @@ static void test_pam_authenticate_nobody(void **state)
   perr = run_pamtest("login", "nobody", &conv_data, tests, NULL);
   assert_int_equal(perr, testcase);
 }
+static void test_pam_authenticate_nobody_su(void **state)
+{
+  enum pamtest_err perr;
+  struct pamtest_conv_data conv_data;
+  const char *trinity_authtoks[] = {
+    "nobodysecret",
+    NULL,
+  };
+  struct pam_testcase tests[] = {
+    pam_test(PAMTEST_AUTHENTICATE, PAM_SUCCESS),
+  };
+
+  (void) state;	/* unused */
+
+  ZERO_STRUCT(conv_data);
+  conv_data.in_echo_off = trinity_authtoks;
+
+  perr = run_pamtest("su", "nobody", &conv_data, tests, NULL);
+  assert_int_equal(perr, testcase);
+}
 static void test_pam_acct_invalid_user(void **state)
 {
   enum pamtest_err perr;
@@ -146,6 +157,7 @@ options:\n\
 		4	cron:acct root user\n\
 		5	cron:acct nobody user\n\
 		6	login:auth nobody user\n\
+		7	su:auth nobody user\n\
 ");
 }
 int main(int argc, char *argv[]) {
@@ -185,6 +197,9 @@ int main(int argc, char *argv[]) {
           case 6:
             ptr = test_pam_authenticate_nobody;
             break;
+          case 7:
+            ptr = test_pam_authenticate_nobody_su;
+            break;
           default:
             printf("invalid test case\n");
             exit (1);