ac_ct_CC
CC
PLUGINDIR
+pam_session
editor
secure_path
netsvc_conf
+
#
noexec_file=/usr/local/libexec/sudo/sudo_noexec.so
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
+pam_session=on
PLUGINDIR=/usr/local/libexec/sudo
#
# End initial values for man page substitution
yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
;;
- no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- $as_echo "#define NO_PAM_SESSION 1" >>confdefs.h
+ $as_echo "#define NO_PAM_SESSION 1" >>confdefs.h
- ;;
- *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ pam_session=off
+ ;;
+ *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&5
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&2;}
- ;;
+ ;;
esac
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
AC_SUBST([editor])
+AC_SUBST([pam_session])
AC_SUBST([PLUGINDIR])
#
# Begin initial values for man page substitution
noexec_file=/usr/local/libexec/sudo/sudo_noexec.so
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
+pam_session=on
PLUGINDIR=/usr/local/libexec/sudo
#
# End initial values for man page substitution
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
;;
- no) AC_MSG_RESULT(no)
- AC_DEFINE(NO_PAM_SESSION)
- ;;
- *) AC_MSG_RESULT(no)
- AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
- ;;
+ no) AC_MSG_RESULT(no)
+ AC_DEFINE(NO_PAM_SESSION)
+ pam_session=off
+ ;;
+ *) AC_MSG_RESULT(no)
+ AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
+ ;;
esac], AC_MSG_RESULT(yes))
fi
fi
will not be automatically foregrounded. Some versions
of the linux su(1) command behave this way.
- This setting is only supported by s\bsu\bud\bdo\boe\ber\brs\bs plugin
- version 1.8.7 or higher. It has no effect unless I/O
- logging is enabled or the _\bu_\bs_\be_\b__\bp_\bt_\by flag is enabled.
+ This setting is only supported by version 1.8.7 or
+ higher. It has no effect unless I/O logging is enabled
+ or the _\bu_\bs_\be_\b__\bp_\bt_\by flag is enabled.
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
well as the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section at the end
of this manual. This flag is _\bo_\bf_\bf by default.
+ pam_session On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
+ create a new PAM session for the command to be run in.
+ Disabling _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn may be needed on older PAM
+ implementations or on operating systems where opening a
+ PAM session changes the utmp or wtmp files. If PAM
+ session support is disabled, resource limits may not be
+ updated for the command being run. This flag is _\bo_\bn by
+ default.
+
+ This setting is only supported by version 1.8.7 or
+ higher.
+
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ normally only be used if the password prompt provided
+ by systems such as PAM matches the string
+ ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
+ default.
+
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
not allowed to run it, which can be confusing. This
flag is _\bo_\bn by default.
- passprompt_override
- The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
- normally only be used if the password prompt provided
- by systems such as PAM matches the string
- ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
- default.
-
preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
truncated to 2176782336. The default value is
2176782336.
- This setting is only supported by s\bsu\bud\bdo\boe\ber\brs\bs plugin
- version 1.8.7 or higher.
+ This setting is only supported by version 1.8.7 or
+ higher.
noexec_file As of s\bsu\bud\bdo\bo version 1.8.1 this option is no longer
supported. The path to the noexec file should now be
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.7 February 20, 2013 Sudo 1.8.7
+Sudo 1.8.7 February 24, 2013 Sudo 1.8.7
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "@mansectsu@" "February 20, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "February 24, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
su(1)
command behave this way.
.sp
-This setting is only supported by
-\fBsudoers\fR
-plugin version 1.8.7 or higher.
+This setting is only supported by version 1.8.7 or higher.
It has no effect unless I/O logging is enabled or the
\fIuse_pty\fR
flag is enabled.
\fIoff\fR
by default.
.TP 18n
-path_info
-Normally,
-\fBsudo\fR
-will tell the user when a command could not be
-found in their
-\fRPATH\fR
-environment variable.
-Some sites may wish to disable this as it could be used to gather
-information on the location of executables that the normal user does
-not have access to.
-The disadvantage is that if the executable is simply not in the user's
-\fRPATH\fR,
+pam_session
+On systems that use PAM for authentication,
\fBsudo\fR
-will tell the user that they are not allowed to run it, which can be confusing.
+will create a new PAM session for the command to be run in.
+Disabling
+\fIpam_session\fR
+may be needed on older PAM implementations or on operating systems where
+opening a PAM session changes the utmp or wtmp files.
+If PAM session support is disabled, resource limits may not be updated
+for the command being run.
This flag is
-\fI@path_info@\fR
+\fI@pam_session@\fR
by default.
+.sp
+This setting is only supported by version 1.8.7 or higher.
.TP 18n
passprompt_override
The password prompt specified by
\fIoff\fR
by default.
.TP 18n
+path_info
+Normally,
+\fBsudo\fR
+will tell the user when a command could not be
+found in their
+\fRPATH\fR
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+\fRPATH\fR,
+\fBsudo\fR
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+\fI@path_info@\fR
+by default.
+.TP 18n
preserve_groups
By default,
\fBsudo\fR
will be silently truncated to 2176782336.
The default value is 2176782336.
.sp
-This setting is only supported by
-\fBsudoers\fR
-plugin version 1.8.7 or higher.
+This setting is only supported by version 1.8.7 or higher.
.TP 18n
noexec_file
As of
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd February 20, 2013
+.Dd February 24, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Xr su 1
command behave this way.
.Pp
-This setting is only supported by
-.Nm sudoers
-plugin version 1.8.7 or higher.
+This setting is only supported by version 1.8.7 or higher.
It has no effect unless I/O logging is enabled or the
.Em use_pty
flag is enabled.
This flag is
.Em off
by default.
-.It path_info
-Normally,
-.Nm sudo
-will tell the user when a command could not be
-found in their
-.Ev PATH
-environment variable.
-Some sites may wish to disable this as it could be used to gather
-information on the location of executables that the normal user does
-not have access to.
-The disadvantage is that if the executable is simply not in the user's
-.Ev PATH ,
+.It pam_session
+On systems that use PAM for authentication,
.Nm sudo
-will tell the user that they are not allowed to run it, which can be confusing.
+will create a new PAM session for the command to be run in.
+Disabling
+.Em pam_session
+may be needed on older PAM implementations or on operating systems where
+opening a PAM session changes the utmp or wtmp files.
+If PAM session support is disabled, resource limits may not be updated
+for the command being run.
This flag is
-.Em @path_info@
+.Em @pam_session@
by default.
+.Pp
+This setting is only supported by version 1.8.7 or higher.
.It passprompt_override
The password prompt specified by
.Em passprompt
This flag is
.Em off
by default.
+.It path_info
+Normally,
+.Nm sudo
+will tell the user when a command could not be
+found in their
+.Ev PATH
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+.Ev PATH ,
+.Nm sudo
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+.Em @path_info@
+by default.
.It preserve_groups
By default,
.Nm sudo
will be silently truncated to 2176782336.
The default value is 2176782336.
.Pp
-This setting is only supported by
-.Nm sudoers
-plugin version 1.8.7 or higher.
+This setting is only supported by version 1.8.7 or higher.
.It noexec_file
As of
.Nm sudo
}
#endif /* HAVE_PAM_GETENVLIST */
-#ifndef NO_PAM_SESSION
- status = pam_open_session(pamh, 0);
- if (status != PAM_SUCCESS) {
- (void) pam_end(pamh, status | PAM_DATA_SILENT);
- pamh = NULL;
+ if (pam_session) {
+ status = pam_open_session(pamh, 0);
+ if (status != PAM_SUCCESS) {
+ (void) pam_end(pamh, status | PAM_DATA_SILENT);
+ pamh = NULL;
+ }
}
-#endif
done:
debug_return_int(status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
* XXX - still needed now that session init is in parent?
*/
(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
-#ifndef NO_PAM_SESSION
- (void) pam_close_session(pamh, PAM_SILENT);
-#endif
+ if (pam_session)
+ (void) pam_close_session(pamh, PAM_SILENT);
(void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
pamh = NULL;
"exec_background", T_FLAG,
N_("Run commands on a pty in the background"),
NULL,
+ }, {
+ "pam_session", T_FLAG,
+ N_("Create a new PAM session for the command to run in"),
+ NULL,
}, {
"maxseq", T_UINT,
N_("Maximum I/O log sequence number"),
#define I_LIMITPRIVS 81
#define def_exec_background (sudo_defs_table[82].sd_un.flag)
#define I_EXEC_BACKGROUND 82
-#define def_maxseq (sudo_defs_table[83].sd_un.ival)
-#define I_MAXSEQ 83
+#define def_pam_session (sudo_defs_table[83].sd_un.flag)
+#define I_PAM_SESSION 83
+#define def_maxseq (sudo_defs_table[84].sd_un.ival)
+#define I_MAXSEQ 84
enum def_tuple {
never,
exec_background
T_FLAG
"Run commands on a pty in the background"
+pam_session
+ T_FLAG
+ "Create a new PAM session for the command to run in"
maxseq
T_UINT
"Maximum I/O log sequence number"
def_env_reset = ENV_RESET;
def_set_logname = true;
def_closefrom = STDERR_FILENO + 1;
+#ifdef NO_PAM_SESSION
+ def_pam_session = false;
+#else
+ def_pam_session = true;
+#endif
/* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG)
projects / sudo / commitdiff