Call pam_open_session() and pam_close_session() to give pam_limits a

chance to run.  Idea from Karel Zak.

diff --git a/auth/pam.c b/auth/pam.c
index 03779b704a74489735cf0412f736447c5dca87c1..7f88bf3ec7c7122d4e98f01b1d67559f0e083159 100644 (file)
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -195,6 +195,18 @@ pam_prep_user(pw)
      */
     (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
 
+    /*
+     * To fully utilize PAM sessions we would need to keep a
+     * sudo process around until the command exits.  However, we
+     * can at least cause pam_limits to be run by opening and then
+     * immediately closing the session.
+     */
+    if (pam_open_session(pamh, 0) != PAM_SUCCESS) {
+       (void) pam_end(pamh, error);
+       return(AUTH_FAILURE);
+    }
+    (void) pam_close_session(pamh, 0);
+
     if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
        return(AUTH_SUCCESS);
     else