Add support for a sudo-i pam.d file to be used for "sudo -i".

Adapted from a RedHat patch.

--HG--
branch : 1.7

diff --git a/auth/pam.c b/auth/pam.c
index 257b64d86311db817db3e44a0c97e6213002c44c..9b04219fc6094167d0b68c7329913a132bf3d39e 100644 (file)
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -93,7 +93,13 @@ pam_init(pw, promptp, auth)
     if (auth != NULL)
        auth->data = (void *) &pam_status;
     pam_conv.conv = sudo_conv;
-    pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+           pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+    else
+#endif
+           pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+
     if (pam_status != PAM_SUCCESS) {
        log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
        return(AUTH_FATAL);

diff --git a/config.h.in b/config.h.in
index 47a7ed3e3cc6470b771ac338e56e3815772b3103..eeb444f06b122e32f25ee6e2221575b75fbe13d0 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -361,6 +361,9 @@
 /* Define to 1 if you use PAM authentication. */
 #undef HAVE_PAM
 
+/* Define to 1 if you use a specific PAM session for sudo -i. */
+#undef HAVE_PAM_LOGIN
+
 /* Define to 1 if you have the <pam/pam_appl.h> header file. */
 #undef HAVE_PAM_PAM_APPL_H
 

diff --git a/configure b/configure
index 6f33c65dd57c68d040c58a94c2c83c7e83d0e0a7..e2bc5b34093f5329448f0d1fa77c00ab7032e059 100755 (executable)
--- a/configure
+++ b/configure
@@ -995,6 +995,7 @@ enable_libtool_lock
 with_noexec
 with_netsvc
 enable_sia
+with_pam_login
 enable_pam_session
 enable_zlib
 '
@@ -1742,6 +1743,7 @@ Optional Packages:
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-noexec=PATH      fully qualified pathname of sudo_noexec.so
   --with-netsvc[=PATH]    path to netsvc.conf
+  --with-pam-login        enable specific PAM session for sudo -i
 
 Some influential environment variables:
   CC          C compiler command
@@ -6619,13 +6621,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6622: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6624: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6625: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6627: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6628: output\"" >&5)
+  (eval echo "\"\$as_me:6630: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7830,7 +7832,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7833 "configure"' > conftest.$ac_ext
+  echo '#line 7835 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9223,11 +9225,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9226: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9228: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9230: \$? = $ac_status" >&5
+   echo "$as_me:9232: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9562,11 +9564,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9565: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9567: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9569: \$? = $ac_status" >&5
+   echo "$as_me:9571: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9667,11 +9669,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9670: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9672: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9674: \$? = $ac_status" >&5
+   echo "$as_me:9676: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9722,11 +9724,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9725: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9727: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9729: \$? = $ac_status" >&5
+   echo "$as_me:9731: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12089,7 +12091,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12092 "configure"
+#line 12094 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12185,7 +12187,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12188 "configure"
+#line 12190 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16141,6 +16143,25 @@ done
 
        AUTH_OBJS="$AUTH_OBJS pam.o";
        AUTH_EXCL=PAM
+
+
+# Check whether --with-pam-login was given.
+if test "${with_pam_login+set}" = set; then :
+  withval=$with_pam_login; case $with_pam_login in
+           yes)        $as_echo "#define HAVE_PAM_LOGIN 1" >>confdefs.h
+
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM login" >&5
+$as_echo_n "checking whether to use PAM login... " >&6; }
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                       ;;
+           no)         ;;
+           *)          as_fn_error "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
+                       ;;
+       esac
+fi
+
+
        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM session support" >&5
 $as_echo_n "checking whether to use PAM session support... " >&6; }
        # Check whether --enable-pam_session was given.
@@ -16166,6 +16187,7 @@ else
 $as_echo "yes" >&6; }
 fi
 
+
        case $host in
            *-*-linux*|*-*-solaris*)
                    # dgettext() may be defined to dgettext_libintl in the
@@ -20542,5 +20564,6 @@ fi
 
 
 
+
 
 

diff --git a/configure.in b/configure.in
index d7ad654de33559274a4c416c93ba93e677bce9a8..5e04e95334de3dd0cd0d925704554d5515b77e2b 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2100,6 +2100,18 @@ if test ${with_pam-"no"} != "no"; then
        AC_DEFINE(HAVE_PAM)
        AUTH_OBJS="$AUTH_OBJS pam.o";
        AUTH_EXCL=PAM
+
+       AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])],
+       [case $with_pam_login in
+           yes)        AC_DEFINE([HAVE_PAM_LOGIN])
+                       AC_MSG_CHECKING(whether to use PAM login)
+                       AC_MSG_RESULT(yes)
+                       ;;
+           no)         ;;
+           *)          AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+                       ;;
+       esac])
+
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
        [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
@@ -2113,6 +2125,7 @@ if test ${with_pam-"no"} != "no"; then
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
+
        case $host in
            *-*-linux*|*-*-solaris*)
                    # dgettext() may be defined to dgettext_libintl in the
@@ -2828,6 +2841,7 @@ AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
+AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])

diff --git a/env.c b/env.c
index 366df078c4876cb6f931226dde49448b48c27b6b..80f3a990c0f1d2972620db234c58a73c8113ea1a 100644 (file)
--- a/env.c
+++ b/env.c
@@ -584,8 +584,7 @@ matches_env_keep(var)
  * Also adds sudo-specific variables (SUDO_*).
  */
 void
-rebuild_env(sudo_mode, noexec)
-    int sudo_mode;
+rebuild_env(noexec)
     int noexec;
 {
     char **old_envp, **ep, *cp, *ps1;

diff --git a/sudo.c b/sudo.c
index b219ea484f4effdfe55eac389e024bbd07898e9e..e9307d08db103be51a0461cee4c02cbf7ffe9082 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -108,7 +108,7 @@
 /*
  * Prototypes
  */
-static void init_vars                  __P((int, char **));
+static void init_vars                  __P((char **));
 static int set_cmnd                    __P((int));
 static void initial_setup              __P((void));
 static void set_loginclass             __P((struct passwd *));
@@ -147,7 +147,7 @@ sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
 char *runas_user;
 char *runas_group;
 static struct sudo_nss_list *snl;
-static int sudo_mode;
+int sudo_mode;
 
 /* For getopt(3) */
 extern char *optarg;
@@ -263,7 +263,7 @@ main(argc, argv, envp)
     if (user_cmnd == NULL && NewArgc == 0)
        usage(1);
 
-    init_vars(sudo_mode, envp);                /* XXX - move this later? */
+    init_vars(envp);                   /* XXX - move this later? */
 
 #ifdef USING_NONUNIX_GROUPS
     sudo_nonunix_groupcheck_init();    /* initialise nonunix groups impl */
@@ -414,7 +414,7 @@ main(argc, argv, envp)
         def_env_reset = FALSE;
 
     /* Build a new environment that avoids any nasty bits. */
-    rebuild_env(sudo_mode, def_noexec);
+    rebuild_env(def_noexec);
 
     /* Fill in passwd struct based on user we are authenticating as.  */
     auth_pw = get_authpw();
@@ -551,8 +551,7 @@ main(argc, argv, envp)
  * load the ``interfaces'' array.
  */
 static void
-init_vars(sudo_mode, envp)
-    int sudo_mode;
+init_vars(envp)
     char **envp;
 {
     char *p, **ep, thost[MAXHOSTNAMELEN + 1];

diff --git a/sudo.h b/sudo.h
index 0aedecbdf7b5fd51c3c909900aa29634a807777c..6ce915f73b79d05114b65dc7e3f14442013cd774 100644 (file)
--- a/sudo.h
+++ b/sudo.h
@@ -230,7 +230,7 @@ void env_init               __P((int lazy));
 void init_envtables    __P((void));
 void insert_env_vars   __P((struct list_member *));
 void read_env_file     __P((const char *, int));
-void rebuild_env       __P((int, int));
+void rebuild_env       __P((int));
 void validate_env_vars __P((struct list_member *));
 
 /* exec.c */
@@ -355,6 +355,7 @@ extern struct passwd *auth_pw, *list_pw;
 
 extern int tgetpass_flags;
 extern int long_list;
+extern int sudo_mode;
 extern uid_t timestamp_uid;
 /* XXX - conflicts with the one in visudo */
 int run_command __P((const char *path, char *argv[], char *envp[], uid_t uid, int dowait));