From d4767b75206b46f1a006cd91b00239a7b828fc89 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 6 Jan 2025 04:24:44 -0500
Subject: [PATCH] fix: apply PAM wheal only to `su` PAM service

---
 usr/libexec/security-misc/pam_only_if_su  | 17 +++++++++++++++++
 usr/share/pam-configs/wheel-security-misc |  1 +
 2 files changed, 18 insertions(+)
 create mode 100755 usr/libexec/security-misc/pam_only_if_su

diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su
new file mode 100755
index 0000000..604510f
--- /dev/null
+++ b/usr/libexec/security-misc/pam_only_if_su
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Similar to:
+## /usr/libexec/security-misc/pam_only_if_login
+
+set -x
+
+true "PAM_SERVICE: $PAM_SERVICE"
+
+if [ "$PAM_SERVICE" = "su" ]; then
+   exit 1
+else
+   exit 0
+fi
diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc
index 323ff72..10dcb88 100644
--- a/usr/share/pam-configs/wheel-security-misc
+++ b/usr/share/pam-configs/wheel-security-misc
@@ -3,4 +3,5 @@ Default: yes
 Priority: 280
 Auth-Type: Primary
 Auth:
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_only_if_su
 	requisite	pam_wheel.so group=sudo debug