if there is a monitor process.
--HG--
branch : 1.7
65) See http://iase.disa.mil/stigs/whitepaper/sudowhitepaper-042304.doc
-66) Add a session mode where sudo allocates a pty and logs everything
- that occurs ala script(1). Logs should be replayable via
- scriptreplay.pl. See linux script's -t option for timing info.
+66) Update Active Directory instructions based on Alain Roy's info
-67) Update Active Directory instructions based on Alain Roy's info
-
-68) Add support for multiple LDAP trees; from Joachim Henke
+67) Add support for multiple LDAP trees; from Joachim Henke
}
int
-pam_prep_user(pw)
+pam_begin_session(pw)
struct passwd *pw;
{
- int eval;
+ int status = PAM_SUCCESS;
+ /* If the user did not have to authenticate there is no pam handle yet. */
if (pamh == NULL)
pam_init(pw, NULL, NULL);
(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
#ifndef NO_PAM_SESSION
- /*
- * To fully utilize PAM sessions we would need to keep a
- * sudo process around until the command exits. However, we
- * can at least cause pam_limits to be run by opening and then
- * immediately closing the session.
- */
- if ((eval = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
- (void) pam_end(pamh, eval | PAM_DATA_SILENT);
- return(AUTH_FAILURE);
+ status = pam_open_session(pamh, 0);
+ if (status != PAM_SUCCESS) {
+ (void) pam_end(pamh, status | PAM_DATA_SILENT);
+ pamh = NULL;
}
- (void) pam_close_session(pamh, 0);
#endif
+ return(status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
+}
- if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
- return(AUTH_SUCCESS);
- else
- return(AUTH_FAILURE);
+int
+pam_end_session()
+{
+ int status = PAM_SUCCESS;
+
+ if (pamh != NULL) {
+#ifndef NO_PAM_SESSION
+ (void) pam_close_session(pamh, 0);
+#endif
+ status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+ }
+ return(status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
}
/*
if (rbac_enabled)
selinux_setup(user_role, user_type, user_ttypath, -1);
#endif
- if (exec_setup() == TRUE) {
+ if (exec_setup(PERM_DOWAIT) == TRUE) {
/* headed for execve() */
closefrom(def_closefrom);
#ifdef HAVE_SELINUX
* If we don't need to wait for the command to finish, just exec it.
*/
if (!dowait) {
- exec_setup();
+ exec_setup(0);
closefrom(def_closefrom);
my_execve(path, argv, envp);
cstat->type = CMD_ERRNO;
if (rbac_enabled)
selinux_setup(user_role, user_type, slavename, io_fds[SFD_SLAVE]);
#endif
- if (exec_setup() == TRUE) {
+ if (exec_setup(PERM_DOWAIT) == TRUE) {
/* Close the other end of the stdin/stdout/stderr pipes and exec. */
if (io_pipe[STDIN_FILENO][1])
close(io_pipe[STDIN_FILENO][1]);
/*
* Prototypes
*/
-static void runas_setup __P((void));
+static void runas_setup __P((int));
static void runas_setgroups __P((void));
static void restore_groups __P((void));
int perm;
{
const char *errstr;
- int noexit;
+ int noexit, dowait;
noexit = ISSET(perm, PERM_NOEXIT);
+ dowait = ISSET(perm, PERM_DOWAIT);
CLR(perm, PERM_MASK);
if (perm == current_perm)
case PERM_FULL_RUNAS:
/* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
+ runas_setup(dowait);
if (setresuid(def_stay_setuid ?
user_uid : runas_pw->pw_uid,
runas_pw->pw_uid, runas_pw->pw_uid)) {
int perm;
{
const char *errstr;
- int noexit;
+ int noexit, dowait;
noexit = ISSET(perm, PERM_NOEXIT);
+ dowait = ISSET(perm, PERM_DOWAIT);
CLR(perm, PERM_MASK);
if (perm == current_perm)
case PERM_FULL_RUNAS:
/* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
+ runas_setup(dowait);
if (setreuid(def_stay_setuid ? user_uid :
runas_pw->pw_uid, runas_pw->pw_uid)) {
errstr = "unable to change to runas uid";
int perm;
{
const char *errstr;
- int noexit;
+ int noexit, dowait;
noexit = ISSET(perm, PERM_NOEXIT);
+ dowait = ISSET(perm, PERM_DOWAIT);
CLR(perm, PERM_MASK);
if (perm == current_perm)
case PERM_FULL_RUNAS:
/* headed for exec() */
- runas_setup();
+ runas_setup(dowait);
if (setuid(runas_pw->pw_uid)) {
errstr = "unable to change to runas uid";
goto bad;
int perm;
{
const char *errstr;
- int noexit;
+ int noexit, dowait;
noexit = ISSET(perm, PERM_NOEXIT);
+ dowait = ISSET(perm, PERM_DOWAIT);
CLR(perm, PERM_MASK);
if (perm == current_perm)
break;
case PERM_FULL_RUNAS:
- runas_setup();
+ runas_setup(dowait);
if (setuid(runas_pw->pw_uid)) {
errstr = "unable to change to runas uid";
goto bad;
#endif /* HAVE_INITGROUPS */
static void
-runas_setup()
+runas_setup(dowait)
+ int dowait;
{
gid_t gid;
#ifdef HAVE_LOGIN_CAP_H
aix_setlimits(runas_pw->pw_name);
#endif
#ifdef HAVE_PAM
- pam_prep_user(runas_pw);
+ pam_begin_session(runas_pw);
+ if (!dowait)
+ pam_end_session();
#endif /* HAVE_PAM */
#ifdef HAVE_LOGIN_CAP_H
* Returns TRUE on success and FALSE on failure.
*/
int
-exec_setup()
+exec_setup(flags)
+ int flags;
{
int rval = FALSE;
#endif /* RLIMIT_CORE && !SUDO_DEVEL */
if (ISSET(sudo_mode, MODE_RUN))
- set_perms(PERM_FULL_RUNAS);
+ set_perms(PERM_FULL_RUNAS|flags);
if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Change to target user's homedir. */
warningx("unexpected child termination condition: %d", cstat.type);
break;
}
+#ifdef HAVE_PAM
+ pam_end_session();
+#endif /* HAVE_PAM */
#ifdef _PATH_SUDO_IO_LOGDIR
io_log_close();
#endif
#define PERM_FULL_RUNAS 0x05
#define PERM_TIMESTAMP 0x06
#define PERM_NOEXIT 0x10 /* flag */
+#define PERM_DOWAIT 0x20 /* flag */
#define PERM_MASK 0xf0
/*
int sudo_ldap_display_privs __P((struct sudo_nss *, struct passwd *, struct lbuf *));
/* pam.c */
-int pam_prep_user __P((struct passwd *));
+int pam_begin_session __P((struct passwd *));
+int pam_end_session __P((void));
/* parse.c */
int sudo_file_open __P((struct sudo_nss *));
/* sudo.c */
FILE *open_sudoers __P((const char *, int, int *));
-int exec_setup __P((void));
+int exec_setup __P((int));
void cleanup __P((int));
void set_fqdn __P((void));
projects / sudo / commitdiff