What were you trying to do that didn't work?

Bug related to the issue. Errata came on RHEL 8.4
 - [1866866 - PAM can't identify the user when running via gnome-terminal in an X session](https://bugzilla.redhat.com/show_bug.cgi?id=1866866)

However, something changed and the behavior are still present.

Please provide the package NVR for which bug is seen:
RHEL8.5: pam 1.3.1-15.el8 - correct behaviour
RHEL9.1: 1.5.1-12.el9 and 1.5.1-15.el9 (9.3) exhibit the same problem

Steps to Reproduce:
1. Create "testuser" user and set password
2. Configure "testuser" user in sudoers to be able to sudo without password: 
---
testuser        ALL=(ALL)    NOPASSWD: ALL
---

3. Congiure pam.d/sudo to verify the account based on group membership, for example
   Comment out : "#account    include      system-auth" and replace with:
---
account    sufficient   pam_wheel.so trust group=users debug
---

4. Added the below line on /etc/pam.d/su
---
account    sufficient   pam_wheel.so trust group=users debug
---

4. Add user to users group: usermod -G users testuser

5. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully

Evidences:

RHEL 8.8
~~~
PAM Config

[testuser@winbind ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
#auth       include      system-auth
account    sufficient   pam_wheel.so trust group=users debug
account    include      system-auth
password   include      system-auth
session    include      system-auth

[testuser@winbind ~]$ cat /etc/pam.d/su
#%PAM-1.0
auth        required    pam_env.so
auth        sufficient    pam_rootok.so
account    sufficient   pam_wheel.so trust group=users debug

1. Uncomment the following line to implicitly trust users in the "wheel" group.
   #auth        sufficient    pam_wheel.so trust use_uid
2. Uncomment the following line to require a user to be in the "wheel" group.
   #auth        required    pam_wheel.so use_uid
   auth        substack    system-auth
   auth        include        postlogin
   account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
   account        include        system-auth
   password    include        system-auth
   session        include        system-auth
   session        include        postlogin
   session        optional    pam_xauth.so

Secure logs

Nov 14 13:37:44 winbind sshd[12902]: Accepted password for testuser from 192.168.122.1 port 37124 ssh2
Nov 14 13:37:44 winbind sshd[12902]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Nov 14 13:38:01 winbind sudo[12957]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:38:01 winbind sudo[12957]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:38:01 winbind sudo[12957]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
Nov 14 13:38:01 winbind su[12958]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:38:01 winbind su[12958]: pam_unix(su:session): session opened for user root by testuser(uid=0)

ssh from an external terminal

Nov 14 13:42:46 winbind sshd[13443]: Accepted password for testuser from 192.168.122.1 port 52170 ssh2
Nov 14 13:42:46 winbind systemd[13449]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Nov 14 13:42:46 winbind sshd[13443]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Nov 14 13:42:46 winbind sudo[13482]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:42:46 winbind sudo[13482]: testuser : TTY=unknown ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:42:46 winbind sudo[13482]: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 14 13:42:46 winbind su[13513]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:42:46 winbind su[13513]: pam_unix(su:session): session opened for user root by (uid=0)
~~~

RHEL 9.3
~~~
PAM Config

[testuser@rhel91 ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
#auth       include      system-auth
account    sufficient   pam_wheel.so trust group=users debug
account    include      system-auth
password   include      system-auth
session    include      system-auth
[testuser@rhel91 ~]$ cat /etc/pam.d/su
#%PAM-1.0
auth        required    pam_env.so
auth        sufficient    pam_rootok.so
account    sufficient   pam_wheel.so trust group=users debug

1. Uncomment the following line to implicitly trust users in the "wheel" group.
   #auth        sufficient    pam_wheel.so trust use_uid
2. Uncomment the following line to require a user to be in the "wheel" group.
   #auth        required    pam_wheel.so use_uid
   auth        substack    system-auth
   auth        include        postlogin
   account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
   account        include        system-auth
   password    include        system-auth
   session        include        system-auth
   session        include        postlogin
   session        optional    pam_xauth.so

Secure logs

Nov 14 13:37:44 rhel91 sshd[9950]: Accepted password for testuser from 192.168.122.1 port 48546 ssh2
Nov 14 13:37:44 rhel91 sshd[9950]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:38:01 rhel91 sudo[9998]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:38:01 rhel91 sudo[9998]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:38:01 rhel91 sudo[9998]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1001)
Nov 14 13:38:01 rhel91 su[9999]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
Nov 14 13:38:01 rhel91 su[9999]: pam_unix(su:session): session opened for user root(uid=0) by testuser(uid=0)

ssh from an external terminal

Nov 14 13:42:46 rhel91 sshd[10340]: Accepted password for testuser from 192.168.122.1 port 53194 ssh2
Nov 14 13:42:46 rhel91 systemd[10346]: pam_unix(systemd-user:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:42:46 rhel91 sshd[10340]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
Nov 14 13:42:46 rhel91 sudo[10381]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Nov 14 13:42:46 rhel91 sudo[10381]: testuser : PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Nov 14 13:42:46 rhel91 sudo[10381]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
Nov 14 13:42:46 rhel91 su[10406]: pam_wheel(su:account): Access denied to 'root' for 'root' ----> pam_wheel is not picking up the original UID like in RHEL8.8 and it's recognising the user as root, it is then denying access.
Nov 14 13:42:46 rhel91 su[10406]: pam_unix(su:session): session opened for user root(uid=0) by (uid=0)
~~~

• • The issue is reproduced only when we ssh from an external machine, even when the message said it is denied, the sudo su worked.

i.e: external host: ssh testuser@machine "sudo su"

Customer words:

Ultimately, the situation is that rules that use pam_wheel and are supposed to authorise and deny the user based on the original UID are not working. This is arguably worse than what was happening before 1.3.1-14.el8 where at least it was failing and denying access while now it's wrongly assigning root identity as the original UID, granting access to users who should be denied.