]> granicus.if.org Git - sudo/commitdiff
If pam is in use, wait until the process has finished before calling
authorTodd C. Miller <Todd.Miller@courtesan.com>
Wed, 21 Jul 2010 14:17:22 +0000 (10:17 -0400)
committerTodd C. Miller <Todd.Miller@courtesan.com>
Wed, 21 Jul 2010 14:17:22 +0000 (10:17 -0400)
pam_close_session().

--HG--
branch : 1.7

WHATSNEW
exec.c
exec_pty.c
set_perms.c
sudo.c
sudo.h

index 32a75b27a2dcf890eb8f16ce0dba19f2fe187368..1d5999297dc9e85a417e09ef94520b9a27d58f84 100644 (file)
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -47,6 +47,9 @@ What's new in Sudo 1.7.4?
 
  * Fixed a problem in the restoration of the AIX authdb registry setting.
 
+ * Sudo will now fork(2) and wait until the command has completed before
+   calling pam_close_session().
+
 What's new in Sudo 1.7.3?
 
  * Support for logging I/O for the command being run.
diff --git a/exec.c b/exec.c
index 4eee43fff161767ac6618c7fe2c560068dc02f61..afef44781d68fc889902e8265eea4f1feea27a1b 100644 (file)
--- a/exec.c
+++ b/exec.c
@@ -109,7 +109,7 @@ static int fork_cmnd(path, argv, envp, sv, rbac_enabled)
        /* child */
        close(sv[0]);
        fcntl(sv[1], F_SETFD, FD_CLOEXEC);
-       if (exec_setup(PERM_DOWAIT, rbac_enabled, user_ttypath, -1) == TRUE) {
+       if (exec_setup(rbac_enabled, user_ttypath, -1) == TRUE) {
            /* headed for execve() */
            closefrom(def_closefrom);
 #ifdef HAVE_SELINUX
@@ -185,7 +185,7 @@ sudo_execve(path, argv, envp, uid, cstat, dowait, bgmode)
      * If we don't need to wait for the command to finish, just exec it.
      */
     if (!dowait) {
-       exec_setup(0, FALSE, NULL, -1);
+       exec_setup(FALSE, NULL, -1);
        closefrom(def_closefrom);
        my_execve(path, argv, envp);
        cstat->type = CMD_ERRNO;
index 3ded40a70ec9cef2bda0fe6b769b3f3c8fcf3d23..da79664ac214f50a4bef5dbd09dba01d13527c72 100644 (file)
@@ -441,7 +441,7 @@ fork_pty(path, argv, envp, sv, rbac_enabled, maxfd)
        /* child */
        close(sv[0]);
        fcntl(sv[1], F_SETFD, FD_CLOEXEC);
-       if (exec_setup(PERM_DOWAIT, rbac_enabled, slavename, io_fds[SFD_SLAVE]) == TRUE) {
+       if (exec_setup(rbac_enabled, slavename, io_fds[SFD_SLAVE]) == TRUE) {
            /* Close the other end of the stdin/stdout/stderr pipes and exec. */
            if (io_pipe[STDIN_FILENO][1])
                close(io_pipe[STDIN_FILENO][1]);
index 4b3896ea7d5b2a721a59a6f11fa67f2a3b0ba0da..4e7dc9cf821533492c68fa3cf40d48f4b667c9a3 100644 (file)
@@ -59,7 +59,7 @@
 /*
  * Prototypes
  */
-static void runas_setup                __P((int));
+static void runas_setup                __P((void));
 static void runas_setgroups    __P((void));
 static void restore_groups     __P((void));
 
@@ -77,10 +77,9 @@ set_perms(perm)
     int perm;
 {
     const char *errstr;
-    int noexit, dowait;
+    int noexit;
 
     noexit = ISSET(perm, PERM_NOEXIT);
-    dowait = ISSET(perm, PERM_DOWAIT);
     CLR(perm, PERM_MASK);
 
     if (perm == current_perm)
@@ -127,7 +126,7 @@ set_perms(perm)
 
        case PERM_FULL_RUNAS:
                                /* headed for exec(), assume euid == ROOT_UID */
-                               runas_setup(dowait);
+                               runas_setup();
                                if (setresuid(def_stay_setuid ?
                                    user_uid : runas_pw->pw_uid,
                                    runas_pw->pw_uid, runas_pw->pw_uid)) {
@@ -192,10 +191,9 @@ set_perms(perm)
     int perm;
 {
     const char *errstr;
-    int noexit, dowait;
+    int noexit;
 
     noexit = ISSET(perm, PERM_NOEXIT);
-    dowait = ISSET(perm, PERM_DOWAIT);
     CLR(perm, PERM_MASK);
 
     if (perm == current_perm)
@@ -246,7 +244,7 @@ set_perms(perm)
 
        case PERM_FULL_RUNAS:
                                /* headed for exec(), assume euid == ROOT_UID */
-                               runas_setup(dowait);
+                               runas_setup();
                                if (setreuid(def_stay_setuid ? user_uid :
                                    runas_pw->pw_uid, runas_pw->pw_uid)) {
                                    errstr = "unable to change to runas uid";
@@ -308,10 +306,9 @@ set_perms(perm)
     int perm;
 {
     const char *errstr;
-    int noexit, dowait;
+    int noexit;
 
     noexit = ISSET(perm, PERM_NOEXIT);
-    dowait = ISSET(perm, PERM_DOWAIT);
     CLR(perm, PERM_MASK);
 
     if (perm == current_perm)
@@ -368,7 +365,7 @@ set_perms(perm)
 
        case PERM_FULL_RUNAS:
                                /* headed for exec() */
-                               runas_setup(dowait);
+                               runas_setup();
                                if (setuid(runas_pw->pw_uid)) {
                                    errstr = "unable to change to runas uid";
                                    goto bad;
@@ -428,10 +425,9 @@ set_perms(perm)
     int perm;
 {
     const char *errstr;
-    int noexit, dowait;
+    int noexit;
 
     noexit = ISSET(perm, PERM_NOEXIT);
-    dowait = ISSET(perm, PERM_DOWAIT);
     CLR(perm, PERM_MASK);
 
     if (perm == current_perm)
@@ -456,7 +452,7 @@ set_perms(perm)
                                break;
                                
        case PERM_FULL_RUNAS:
-                               runas_setup(dowait);
+                               runas_setup();
                                if (setuid(runas_pw->pw_uid)) {
                                    errstr = "unable to change to runas uid";
                                    goto bad;
@@ -547,8 +543,7 @@ restore_groups()
 #endif /* HAVE_INITGROUPS */
 
 static void
-runas_setup(dowait)
-    int dowait;
+runas_setup()
 {
     gid_t gid;
 #ifdef HAVE_LOGIN_CAP_H
@@ -563,8 +558,6 @@ runas_setup(dowait)
 #endif
 #ifdef HAVE_PAM
        pam_begin_session(runas_pw);
-       if (!dowait)
-           pam_end_session();
 #endif /* HAVE_PAM */
 
 #ifdef HAVE_LOGIN_CAP_H
diff --git a/sudo.c b/sudo.c
index b4f584c885cb2997cf995a5eb7b3245274c63dcb..c00a3094334ad21b5930f9d42b697b7b9106565b 100644 (file)
--- a/sudo.c
+++ b/sudo.c
 # include "nonunix.h"
 #endif
 
+#ifdef HAVE_PAM
+# define CMND_WAIT     TRUE
+#else
+# define CMND_WAIT     FALSE
+#endif
+
 /*
  * Prototypes
  */
@@ -517,10 +523,12 @@ main(argc, argv, envp)
        (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
        (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
 
-       if (ISSET(sudo_mode, MODE_EDIT))
+       if (ISSET(sudo_mode, MODE_EDIT)) {
            exit(sudo_edit(NewArgc, NewArgv, envp));
-       else
-           exit(run_command(safe_cmnd, NewArgv, env_get(), runas_pw->pw_uid, FALSE));
+       } else {
+           exit(run_command(safe_cmnd, NewArgv, env_get(), runas_pw->pw_uid,
+               CMND_WAIT));
+       }
     } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
        audit_failure(NewArgv, "No user or host");
        log_denial(validated, 1);
@@ -820,8 +828,7 @@ set_cmnd(sudo_mode)
  * Returns TRUE on success and FALSE on failure.
  */
 int
-exec_setup(flags, rbac_enabled, ttyname, ttyfd)
-    int flags;
+exec_setup(rbac_enabled, ttyname, ttyfd)
     int rbac_enabled;
     const char *ttyname;
     int ttyfd;
@@ -870,7 +877,7 @@ exec_setup(flags, rbac_enabled, ttyname, ttyfd)
 #endif /* RLIMIT_CORE && !SUDO_DEVEL */
 
     if (ISSET(sudo_mode, MODE_RUN))
-       set_perms(PERM_FULL_RUNAS|flags);
+       set_perms(PERM_FULL_RUNAS);
 
     if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
        /* Change to target user's homedir. */
diff --git a/sudo.h b/sudo.h
index 6ce915f73b79d05114b65dc7e3f14442013cd774..f946291d9eb1d986c264bc456377a0be0ad5bc9b 100644 (file)
--- a/sudo.h
+++ b/sudo.h
@@ -148,7 +148,6 @@ struct command_status {
 #define PERM_FULL_RUNAS          0x05
 #define PERM_TIMESTAMP           0x06
 #define PERM_NOEXIT              0x10 /* flag */
-#define PERM_DOWAIT              0x20 /* flag */
 #define PERM_MASK                0xf0
 
 /*
@@ -314,7 +313,7 @@ int set_perms               __P((int));
 
 /* sudo.c */
 FILE *open_sudoers     __P((const char *, int, int *));
-int exec_setup         __P((int, int, const char *, int));
+int exec_setup         __P((int, const char *, int));
 void cleanup           __P((int));
 void set_fqdn          __P((void));