Add the "auth_as_self" option to the pam_unix module (there is no

reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).

lib/libpam/libpam/pam_mod_misc.h

@@ -38,6 +38,7 @@
 #define	PAM_OPT_TRY_FIRST_PASS		0x08
 #define PAM_OPT_USE_MAPPED_PASS		0x10
 #define PAM_OPT_ECHO_PASS		0x20
+#define PAM_OPT_AUTH_AS_SELF		0x40
 
 __BEGIN_DECLS
 int	 pam_get_pass(pam_handle_t *, const char **, const char *, int);

lib/libpam/libpam/pam_std_option.c

@@ -48,6 +48,7 @@ pam_std_option(int *options, const char *name)
 		{ "try_first_pass",	PAM_OPT_TRY_FIRST_PASS },
 		{ "use_mapped_pass",	PAM_OPT_USE_MAPPED_PASS },
 		{ "echo_pass",		PAM_OPT_ECHO_PASS },
+		{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
 		{ NULL,			0 }
 	};
 	struct opttab *p;

lib/libpam/libpam/security/pam_mod_misc.h

@@ -38,6 +38,7 @@
 #define	PAM_OPT_TRY_FIRST_PASS		0x08
 #define PAM_OPT_USE_MAPPED_PASS		0x10
 #define PAM_OPT_ECHO_PASS		0x20
+#define PAM_OPT_AUTH_AS_SELF		0x40
 
 __BEGIN_DECLS
 int	 pam_get_pass(pam_handle_t *, const char **, const char *, int);

lib/libpam/modules/pam_unix/pam_unix.c

@@ -62,12 +62,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	options = 0;
 	for (i = 0;  i < argc;  i++)
 		pam_std_option(&options, argv[i]);
-	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
-		return retval;
+	if (options & PAM_OPT_AUTH_AS_SELF)
+		pwd = getpwuid(getuid());
+	else {
+		if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+			return retval;
+		pwd = getpwnam(user);
+	}
 	if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
 	    options)) != PAM_SUCCESS)
 		return retval;
-	if ((pwd = getpwnam(user)) != NULL) {
+	if (pwd != NULL) {
 		encrypted = crypt(password, pwd->pw_passwd);
 		if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
 			encrypted = ":";