--- coreutils-5.2.0/src/Makefile.am.pam	2004-02-23 17:40:54.000000000 +0000
+++ coreutils-5.2.0/src/Makefile.am	2004-02-23 17:40:54.000000000 +0000
@@ -66,7 +66,7 @@
 
 uptime_LDADD = $(LDADD) $(GETLOADAVG_LIBS)
 
-su_LDADD = $(LDADD) $(LIB_CRYPT)
+su_LDADD = $(LDADD) $(LIB_CRYPT) @LIB_PAM@
 
 $(PROGRAMS): ../lib/libfetish.a
 
--- coreutils-5.2.0/src/su.c.pam	2004-02-23 17:40:54.000000000 +0000
+++ coreutils-5.2.0/src/su.c	2004-02-23 17:40:54.000000000 +0000
@@ -38,6 +38,16 @@
    restricts who can su to UID 0 accounts.  RMS considers that to
    be fascist.
 
+#ifdef USE_PAM
+
+   Actually, with PAM, su has nothing to do with whether or not a
+   wheel group is enforced by su.  RMS tries to restrict your access
+   to a su which implements the wheel group, but PAM considers that
+   to be fascist, and gives the user/sysadmin the opportunity to
+   enforce a wheel group by proper editing of /etc/pam.conf
+
+#endif
+
    Options:
    -, -l, --login	Make the subshell a login shell.
 			Unset all environment variables except
@@ -81,6 +91,14 @@
    prototype (returning `int') in <unistd.h>.  */
 #define getusershell _getusershell_sys_proto_
 
+#ifdef USE_PAM
+# include <security/pam_appl.h>
+# include <security/pam_misc.h>
+# include <signal.h>
+# include <sys/wait.h>
+# include <sys/fsuid.h>
+#endif /* USE_PAM */
+
 #include "system.h"
 #include "dirname.h"
 
@@ -150,7 +168,9 @@
 /* The user to become if none is specified.  */
 #define DEFAULT_USER "root"
 
+#ifndef USE_PAM
 char *crypt ();
+#endif
 char *getpass ();
 char *getusershell ();
 void endusershell ();
@@ -158,8 +178,12 @@
 
 extern char **environ;
 
-static void run_shell (const char *, const char *, char **)
+static void run_shell (const char *, const char *, char **, const struct passwd *)
+#ifdef USE_PAM
+     ;
+#else
      ATTRIBUTE_NORETURN;
+#endif
 
 /* The name this program was run with.  */
 char *program_name;
@@ -271,7 +295,22 @@
 }
 #endif
 
+#ifdef USE_PAM
+static pam_handle_t *pamh = NULL;
+static int retval;
+static struct pam_conv conv = {
+  misc_conv,
+  NULL
+};
+
+#define PAM_BAIL_P if (retval) { \
+  pam_end(pamh, PAM_SUCCESS); \
+  return 0; \
+}
+#endif
+
 /* Ask the user for a password.
+   If PAM is in use, let PAM ask for the password if necessary.
    Return 1 if the user gives the correct password for entry PW,
    0 if not.  Return 1 without asking for a password if run by UID 0
    or if PW has an empty password.  */
@@ -279,6 +318,34 @@
 static int
 correct_password (const struct passwd *pw)
 {
+#ifdef USE_PAM
+  struct passwd *caller;
+  retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
+  PAM_BAIL_P;
+
+  if (getuid() != 0 && !isatty(0)) {
+	fprintf(stderr, "standard in must be a tty\n");
+	exit(1);
+  }
+
+  caller = getpwuid(getuid());
+  if(caller != NULL && caller->pw_name != NULL) {
+	  retval = pam_set_item(pamh, PAM_RUSER, caller->pw_name);
+	  PAM_BAIL_P;
+  }
+
+  retval = pam_authenticate(pamh, 0);
+  PAM_BAIL_P;
+  retval = pam_acct_mgmt(pamh, 0);
+  if (retval == PAM_NEW_AUTHTOK_REQD) {
+    /* password has expired.  Offer option to change it. */
+    retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+    PAM_BAIL_P;
+  }
+  PAM_BAIL_P;
+  /* must be authenticated if this point was reached */
+  return 1;
+#else /* !USE_PAM */
   char *unencrypted, *encrypted, *correct;
 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
@@ -303,6 +370,7 @@
   encrypted = crypt (unencrypted, correct);
   memset (unencrypted, 0, strlen (unencrypted));
   return strcmp (encrypted, correct) == 0;
+#endif /* !USE_PAM */
 }
 
 /* Update `environ' for the new shell based on PW, with SHELL being
@@ -312,16 +380,24 @@
 modify_environment (const struct passwd *pw, const char *shell)
 {
   char *term;
+  char *display;
+  char *xauthority;
 
   if (simulate_login)
     {
-      /* Leave TERM unchanged.  Set HOME, SHELL, USER, LOGNAME, PATH.
+      /* Leave TERM, DISPLAY, XAUTHORITY unchanged.  Set HOME, SHELL, USER, LOGNAME, PATH.
          Unset all other environment variables.  */
       term = getenv ("TERM");
+      display = getenv ("DISPLAY");
+      xauthority = getenv ("XAUTHORITY");
       environ = xmalloc (2 * sizeof (char *));
       environ[0] = 0;
       if (term)
 	xputenv (concat ("TERM", "=", term));
+      if (display)
+	xputenv (concat ("DISPLAY", "=", display));
+      if (xauthority)
+	xputenv (concat ("XAUTHORITY", "=", xauthority));
       xputenv (concat ("HOME", "=", pw->pw_dir));
       xputenv (concat ("SHELL", "=", shell));
       xputenv (concat ("USER", "=", pw->pw_name));
@@ -358,22 +434,73 @@
     error (EXIT_FAIL, errno, _("cannot set groups"));
   endgrent ();
 #endif
+#ifdef USE_PAM
+  retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+  if (retval != PAM_SUCCESS)
+    error (1, 0, pam_strerror(pamh, retval));
+#endif /* USE_PAM */
   if (setgid (pw->pw_gid))
     error (EXIT_FAIL, errno, _("cannot set group id"));
   if (setuid (pw->pw_uid))
     error (EXIT_FAIL, errno, _("cannot set user id"));
 }
 
+#ifdef USE_PAM
+static int caught=0;
+/* Signal handler for parent process later */
+static void su_catch_sig(int sig)
+{
+  ++caught;
+}
+
+int
+pam_copyenv (pam_handle_t *pamh)
+{
+  char **env;
+
+  env = pam_getenvlist(pamh);
+  if(env) {
+    while(*env) {
+	xputenv(*env);
+	env++;
+    }
+  }
+  return(0);
+}
+#endif
+
 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
    If COMMAND is nonzero, pass it to the shell with the -c option.
    If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
    arguments.  */
 
 static void
-run_shell (const char *shell, const char *command, char **additional_args)
+run_shell (const char *shell, const char *command, char **additional_args, const struct passwd *pw)
 {
   const char **args;
   int argno = 1;
+#ifdef USE_PAM
+  int child;
+  sigset_t ourset;
+  int status;
+
+  retval = pam_open_session(pamh,0);
+  if (retval != PAM_SUCCESS) {
+    fprintf (stderr, "could not open session\n");
+    exit (1);
+  }
+
+/* do this at the last possible moment, because environment variables may
+   be passed even in the session phase
+*/
+  if(pam_copyenv(pamh) != PAM_SUCCESS)
+     fprintf (stderr, "error copying PAM environment\n");
+  
+  child = fork();
+  if (child == 0) {  /* child shell */
+  change_identity (pw);
+  pam_end(pamh, 0);
+#endif
 
   if (additional_args)
     args = xmalloc (sizeof (char *)
@@ -385,6 +512,9 @@
       char *arg0;
       char *shell_basename;
 
+      if(chdir(pw->pw_dir))
+	      error(0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+
       shell_basename = base_name (shell);
       arg0 = xmalloc (strlen (shell_basename) + 2);
       arg0[0] = '-';
@@ -411,6 +541,61 @@
     error (0, errno, "%s", shell);
     exit (exit_status);
   }
+#ifdef USE_PAM
+  } else if (child == -1) {
+      fprintf(stderr, "can not fork user shell: %s", strerror(errno));
+      exit(1);
+  }
+  /* parent only */
+  sigfillset(&ourset);
+  if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
+    fprintf(stderr, "%s: signal malfunction\n", PROGRAM_NAME);
+    caught = 1;
+  }
+  if (!caught) {
+    struct sigaction action;
+    action.sa_handler = su_catch_sig;
+    sigemptyset(&action.sa_mask);
+    action.sa_flags = 0;
+    sigemptyset(&ourset);
+    if (sigaddset(&ourset, SIGTERM)
+        || sigaddset(&ourset, SIGALRM)
+        || sigaction(SIGTERM, &action, NULL)
+        || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
+      fprintf(stderr, "%s: signal masking malfunction\n", PROGRAM_NAME);
+      caught = 1;
+    }
+  }
+  if (!caught) {
+    do {
+      int pid;
+
+      pid = waitpid(-1, &status, WUNTRACED);
+
+      if (WIFSTOPPED(status)) {
+          kill(getpid(), SIGSTOP);
+          /* once we get here, we must have resumed */
+          kill(pid, SIGCONT);
+      }
+    } while (WIFSTOPPED(status));
+  }
+
+  if (caught) {
+    fprintf(stderr, "\nSession terminated, killing shell...");
+    kill (child, SIGTERM);
+  }
+  retval = pam_close_session(pamh, 0);
+  PAM_BAIL_P;
+  retval = pam_end(pamh, PAM_SUCCESS);
+  PAM_BAIL_P;
+  if (caught) {
+    sleep(2);
+    kill(child, SIGKILL);
+    fprintf(stderr, " ...killed.\n");
+    exit(-1);
+  }
+  exit (WEXITSTATUS(status));
+#endif /* USE_PAM */
 }
 
 /* Return 1 if SHELL is a restricted shell (one not returned by
@@ -586,9 +771,13 @@
     }
   modify_environment (pw, shell);
 
+
+#ifdef USE_PAM
+  setfsuid(pw->pw_uid);
+  setfsgid(pw->pw_gid);
+#else
   change_identity (pw);
-  if (simulate_login && chdir (pw->pw_dir))
-    error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+#endif
 
-  run_shell (shell, command, additional_args);
+  run_shell (shell, command, additional_args, pw);
 }
--- coreutils-5.2.0/configure.ac.pam	2004-02-23 17:40:54.000000000 +0000
+++ coreutils-5.2.0/configure.ac	2004-02-23 17:40:54.000000000 +0000
@@ -7,6 +7,13 @@
 
 AM_INIT_AUTOMAKE([1.8 gnits dist-bzip2])
 
+dnl Give the chance to enable PAM
+AC_ARG_ENABLE(pam, dnl
+[  --enable-pam              Enable use of the PAM libraries],
+[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
+LIB_PAM="-ldl -lpam -lpam_misc"
+AC_SUBST(LIB_PAM)])
+
 gl_DEFAULT_POSIX2_VERSION
 gl_USE_SYSTEM_EXTENSIONS
 jm_PERL
--- coreutils-5.2.0/config.hin.pam	2004-02-23 17:40:54.000000000 +0000
+++ coreutils-5.2.0/config.hin	2004-02-23 17:40:54.000000000 +0000
@@ -1365,6 +1365,9 @@
 /* Define if you want access control list support. */
 #undef USE_ACL
 
+/* Define if you want to use PAM */
+#undef USE_PAM
+
 /* Version number of package */
 #undef VERSION
 
--- coreutils-5.2.1/doc/coreutils.texi.pam	2004-05-18 11:41:14.026354659 +0100
+++ coreutils-5.2.1/doc/coreutils.texi	2004-05-18 11:48:27.056915340 +0100
@@ -11855,8 +11855,11 @@
 @findex syslog
 @command{su} can optionally be compiled to use @code{syslog} to report
 failed, and optionally successful, @command{su} attempts.  (If the system
-supports @code{syslog}.)  However, GNU @command{su} does not check if the
-user is a member of the @code{wheel} group; see below.
+supports @code{syslog}.)
+
+This version of @command{su} has support for using PAM for
+authentication.  You can edit @file{/etc/pam.d/su} to customize its
+behaviour.
 
 The program accepts the following options.  Also see @ref{Common options}.
 
@@ -11937,33 +11940,6 @@
 the exit status of the subshell otherwise
 @end display
 
-@cindex wheel group, not supported
-@cindex group wheel, not supported
-@cindex fascism
-@subsection Why GNU @command{su} does not support the @samp{wheel} group
-
-(This section is by Richard Stallman.)
-
-@cindex Twenex
-@cindex MIT AI lab
-Sometimes a few of the users try to hold total power over all the
-rest.  For example, in 1984, a few users at the MIT AI lab decided to
-seize power by changing the operator password on the Twenex system and
-keeping it secret from everyone else.  (I was able to thwart this coup
-and give power back to the users by patching the kernel, but I
-wouldn't know how to do that in Unix.)
-
-However, occasionally the rulers do tell someone.  Under the usual
-@command{su} mechanism, once someone learns the root password who
-sympathizes with the ordinary users, he or she can tell the rest.  The
-``wheel group'' feature would make this impossible, and thus cement the
-power of the rulers.
-
-I'm on the side of the masses, not that of the rulers.  If you are
-used to supporting the bosses and sysadmins in whatever they do, you
-might find this idea strange at first.
-
-
 @node Process control
 @chapter Process control