pam_setcred() is called on the user's behalf.
implementations or on operating systems where opening a
PAM session changes the utmp or wtmp files. If PAM
session support is disabled, resource limits may not be
- updated for the command being run. This flag is _\bo_\bn by
- default.
+ updated for the command being run. If _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn,
+ _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd, and _\bu_\bs_\be_\b__\bp_\bt_\by are disabled and I/O logging
+ has not been configured, s\bsu\bud\bdo\bo will execute the command
+ directly instead of running it as a child process.
+ This flag is _\bo_\bn by default.
This setting is only supported by version 1.8.7 or
higher.
+ pam_setcred On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
+ attempt to establish credentials for the target user by
+ default, if supported by the underlying authentication
+ system. One example of a credential is a Kerberos
+ ticket. If _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn, _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd, and _\bu_\bs_\be_\b__\bp_\bt_\by are
+ disabled and I/O logging has not been configured, s\bsu\bud\bdo\bo
+ will execute the command directly instead of running it
+ as a child process. This flag is _\bo_\bn by default.
+
+ This setting is only supported by version 1.8.8 or
+ higher.
+
passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
default value is ``sudo''. See the description of
_\bp_\ba_\bm_\b__\bs_\be_\br_\bv_\bi_\bc_\be for more information.
+ This setting is only supported by version 1.8.8 or
+ higher.
+
pam_service On systems that use PAM for authentication, the service
name specifies the PAM policy to apply. This usually
corresponds to an entry in the _\bp_\ba_\bm_\b._\bc_\bo_\bn_\bf file or a file
in the _\b/_\be_\bt_\bc_\b/_\bp_\ba_\bm_\b._\bd directory. The default value is
``sudo''.
+ This setting is only supported by version 1.8.8 or
+ higher.
+
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
environment variable. The following percent (`%')
opening a PAM session changes the utmp or wtmp files.
If PAM session support is disabled, resource limits may not be updated
for the command being run.
+If
+\fIpam_session\fR,
+\fIpam_setcred\fR,
+and
+\fIuse_pty\fR
+are disabled and I/O logging has not been configured,
+\fBsudo\fR
+will execute the command directly instead of running it as a child
+process.
This flag is
\fI@pam_session@\fR
by default.
.sp
This setting is only supported by version 1.8.7 or higher.
.TP 18n
+pam_setcred
+On systems that use PAM for authentication,
+\fBsudo\fR
+will attempt to establish credentials for the target user by default,
+if supported by the underlying authentication system.
+One example of a credential is a Kerberos ticket.
+If
+\fIpam_session\fR,
+\fIpam_setcred\fR,
+and
+\fIuse_pty\fR
+are disabled and I/O logging has not been configured,
+\fBsudo\fR
+will execute the command directly instead of running it as a child
+process.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.8 or higher.
+.TP 18n
passprompt_override
The password prompt specified by
\fIpassprompt\fR
See the description of
\fIpam_service\fR
for more information.
+.sp
+This setting is only supported by version 1.8.8 or higher.
.TP 18n
pam_service
On systems that use PAM for authentication, the service name
directory.
The default value is
``\fRsudo\fR''.
+.sp
+This setting is only supported by version 1.8.8 or higher.
.TP 18n
passprompt
The default prompt to use when asking for a password; can be overridden via the
opening a PAM session changes the utmp or wtmp files.
If PAM session support is disabled, resource limits may not be updated
for the command being run.
+If
+.Em pam_session ,
+.Em pam_setcred ,
+and
+.Em use_pty
+are disabled and I/O logging has not been configured,
+.Nm sudo
+will execute the command directly instead of running it as a child
+process.
This flag is
.Em @pam_session@
by default.
.Pp
This setting is only supported by version 1.8.7 or higher.
+.It pam_setcred
+On systems that use PAM for authentication,
+.Nm sudo
+will attempt to establish credentials for the target user by default,
+if supported by the underlying authentication system.
+One example of a credential is a Kerberos ticket.
+If
+.Em pam_session ,
+.Em pam_setcred ,
+and
+.Em use_pty
+are disabled and I/O logging has not been configured,
+.Nm sudo
+will execute the command directly instead of running it as a child
+process.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.8 or higher.
.It passprompt_override
The password prompt specified by
.Em passprompt
See the description of
.Em pam_service
for more information.
+.Pp
+This setting is only supported by version 1.8.8 or higher.
.It pam_service
On systems that use PAM for authentication, the service name
specifies the PAM policy to apply.
directory.
The default value is
.Dq Li sudo .
+.Pp
+This setting is only supported by version 1.8.8 or higher.
.It passprompt
The default prompt to use when asking for a password; can be overridden via the
.Fl p
else
(void) pam_set_item(pamh, PAM_TTY, user_ttypath);
+ /*
+ * If PAM session and setcred support is disabled we don't
+ * need to keep a sudo process around to close the session.
+ */
+ if (!def_pam_session && !def_pam_setcred)
+ auth->end_session = NULL;
+
debug_return_int(AUTH_SUCCESS);
}
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_cleanup, SUDO_DEBUG_AUTH)
- /* If successful, we can't close the session until pam_end_session() */
- if (*pam_status != PAM_SUCCESS) {
+ /* If successful, we can't close the session until sudo_pam_end_session() */
+ if (*pam_status != PAM_SUCCESS || auth->end_session == NULL) {
*pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
pamh = NULL;
}
* pam_unix will fail but pam_ldap or pam_sss may succeed, but if
* pam_unix is first in the stack, pam_setcred() will fail.
*/
- (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ if (def_pam_setcred)
+ (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
#ifdef HAVE_PAM_GETENVLIST
/*
(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
if (def_pam_session)
(void) pam_close_session(pamh, PAM_SILENT);
- (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+ if (def_pam_setcred)
+ (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) != PAM_SUCCESS)
status = AUTH_FAILURE;
pamh = NULL;
"pam_login_service", T_STR,
N_("PAM service name to use for login shells"),
NULL,
+ }, {
+ "pam_setcred", T_FLAG,
+ N_("Attempt to establish PAM credentials for the target user"),
+ NULL,
}, {
"pam_session", T_FLAG,
N_("Create a new PAM session for the command to run in"),
#define I_PAM_SERVICE 83
#define def_pam_login_service (sudo_defs_table[84].sd_un.str)
#define I_PAM_LOGIN_SERVICE 84
-#define def_pam_session (sudo_defs_table[85].sd_un.flag)
-#define I_PAM_SESSION 85
-#define def_maxseq (sudo_defs_table[86].sd_un.ival)
-#define I_MAXSEQ 86
+#define def_pam_setcred (sudo_defs_table[85].sd_un.flag)
+#define I_PAM_SETCRED 85
+#define def_pam_session (sudo_defs_table[86].sd_un.flag)
+#define I_PAM_SESSION 86
+#define def_maxseq (sudo_defs_table[87].sd_un.ival)
+#define I_MAXSEQ 87
enum def_tuple {
never,
pam_login_service
T_STR
"PAM service name to use for login shells"
+pam_setcred
+ T_FLAG
+ "Attempt to establish PAM credentials for the target user"
pam_session
T_FLAG
"Create a new PAM session for the command to run in"
projects / sudo / commitdiff