2 files changed, 4 insertions, 13 deletions

diff --git a/NEWS b/NEWS
index bd4bca65..d6e971c9 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Release 1.5.1
 * pam_unix: fixed CVE-2020-27780 - authentication bypass when an
             user doesn't exist and root password is blank
 * pam_faillock: added nodelay option to not set pam_fail_delay
+* pam_wheel: use pam_modutil_user_in_group to check for the group membership
+             with getgrouplist where it is available
 
 Release 1.5.0
 * Multiple minor bug fixes, portability fixes, and documentation improvements.
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index 7fa3cfa9..179f56b3 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -44,17 +44,6 @@
 #include <security/pam_ext.h>
 #include "pam_inline.h"
 
-/* checks if a user is on a list of members of the GID 0 group */
-static int is_on_list(char * const *list, const char *member)
-{
-    while (list && *list) {
-        if (strcmp(*list, member) == 0)
-            return 1;
-        list++;
-    }
-    return 0;
-}
-
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       0x0001
@@ -175,7 +164,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
 	grp = pam_modutil_getgrnam (pamh, use_group);
     }
 
-    if (!grp || (!grp->gr_mem && (tpwd->pw_gid != grp->gr_gid))) {
+    if (grp == NULL) {
 	if (ctrl & PAM_DEBUG_ARG) {
 	    if (!use_group[0]) {
 		pam_syslog(pamh, LOG_NOTICE, "no members in a GID 0 group");
@@ -200,7 +189,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
      * user has the "wheel" (sic) group as its primary group.
      */
 
-    if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
+    if (pam_modutil_user_in_group_uid_gid(pamh, tpwd->pw_uid, grp->gr_gid)) {
 
 	if (ctrl & PAM_DENY_ARG) {
 	    retval = PAM_PERM_DENIED;