Add support for a sudo-i pam.d file to be used for "sudo -i".

Adapted from a RedHat patch.

diff --git a/config.h.in b/config.h.in
index 3e06e38a7018f4ced9013a1a4c0bb83895488d4a..ce43f925ad265f5e027e75acbc0e196318f8e13d 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -361,6 +361,9 @@
 /* Define to 1 if you use PAM authentication. */
 #undef HAVE_PAM
 
+/* Define to 1 if you use a specific PAM session for sudo -i. */
+#undef HAVE_PAM_LOGIN
+
 /* Define to 1 if you have the <pam/pam_appl.h> header file. */
 #undef HAVE_PAM_PAM_APPL_H
 

diff --git a/configure b/configure
index 0c25c6613c5b70bafe56198dce23f88a78430774..6cd41f63aca5dd1c20ba76f0604f7876812d6ad8 100755 (executable)
--- a/configure
+++ b/configure
@@ -1004,6 +1004,7 @@ enable_libtool_lock
 with_noexec
 with_netsvc
 enable_sia
+with_pam_login
 enable_pam_session
 '
       ac_precious_vars='build_alias
@@ -1747,6 +1748,7 @@ Optional Packages:
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-noexec=PATH      fully qualified pathname of sudo_noexec.so
   --with-netsvc[=PATH]    path to netsvc.conf
+  --with-pam-login        enable specific PAM session for sudo -i
 
 Some influential environment variables:
   CC          C compiler command
@@ -6928,13 +6930,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6931: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6933: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6934: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6936: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6937: output\"" >&5)
+  (eval echo "\"\$as_me:6939: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8139,7 +8141,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8142 "configure"' > conftest.$ac_ext
+  echo '#line 8144 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9400,11 +9402,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9403: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9405: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9407: \$? = $ac_status" >&5
+   echo "$as_me:9409: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9739,11 +9741,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9742: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9744: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9746: \$? = $ac_status" >&5
+   echo "$as_me:9748: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9844,11 +9846,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9847: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9849: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9851: \$? = $ac_status" >&5
+   echo "$as_me:9853: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9899,11 +9901,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9902: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9904: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9906: \$? = $ac_status" >&5
+   echo "$as_me:9908: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12266,7 +12268,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12269 "configure"
+#line 12271 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12362,7 +12364,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12365 "configure"
+#line 12367 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16161,6 +16163,25 @@ done
 
        AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
+
+
+# Check whether --with-pam-login was given.
+if test "${with_pam_login+set}" = set; then :
+  withval=$with_pam_login; case $with_pam_login in
+           yes)        $as_echo "#define HAVE_PAM_LOGIN 1" >>confdefs.h
+
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM login" >&5
+$as_echo_n "checking whether to use PAM login... " >&6; }
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                       ;;
+           no)         ;;
+           *)          as_fn_error "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
+                       ;;
+       esac
+fi
+
+
        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM session support" >&5
 $as_echo_n "checking whether to use PAM session support... " >&6; }
        # Check whether --enable-pam_session was given.
@@ -16185,6 +16206,7 @@ else
 $as_echo "yes" >&6; }
 fi
 
+
        case $host in
            *-*-linux*|*-*-solaris*)
                    # dgettext() may be defined to dgettext_libintl in the
@@ -20497,5 +20519,6 @@ fi
 
 
 
+
 
 

diff --git a/configure.in b/configure.in
index 38301f387dadde05f65b864fa957d4ddcce14e15..319f79081cf2003f99e20a6e4447f1c598405e89 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2100,6 +2100,18 @@ if test ${with_pam-"no"} != "no"; then
        AC_DEFINE(HAVE_PAM)
        AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
+
+       AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])],
+       [case $with_pam_login in
+           yes)        AC_DEFINE([HAVE_PAM_LOGIN])
+                       AC_MSG_CHECKING(whether to use PAM login)
+                       AC_MSG_RESULT(yes)
+                       ;;
+           no)         ;;
+           *)          AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+                       ;;
+       esac])
+
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
        [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
@@ -2113,6 +2125,7 @@ if test ${with_pam-"no"} != "no"; then
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
+
        case $host in
            *-*-linux*|*-*-solaris*)
                    # dgettext() may be defined to dgettext_libintl in the
@@ -2801,6 +2814,7 @@ AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
+AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 363b415b57233664239e69cedb88929eb61bb0e4..673aa5cd039670ffd861144f874df2734d882799 100644 (file)
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -90,7 +90,12 @@ pam_init(struct passwd *pw, char **promptp, sudo_auth *auth)
     if (auth != NULL)
        auth->data = (void *) &pam_status;
     pam_conv.conv = converse;
-    pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+       pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+    else
+#endif
+       pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
     if (pam_status != PAM_SUCCESS) {
        log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
        return(AUTH_FATAL);

diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c
index 637b854d3af10406754e96eddbbd8ebd37e68275..99ef0ff5777619fee287292804bfb2fd3fbabd79 100644 (file)
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -407,7 +407,7 @@ matches_env_keep(const char *var)
  * Also adds sudo-specific variables (SUDO_*).
  */
 void
-rebuild_env(int sudo_mode, int noexec)
+rebuild_env(int noexec)
 {
     char **old_envp, **ep, *cp, *ps1;
     char idbuf[MAX_UID_T_LEN];

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 8c4033dde65e77b9186c377eed6477f4ba499e40..5b1dcbc226b9c858b00710634825c7c1e16d504d 100644 (file)
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -146,6 +146,7 @@ char *login_style;
 sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
 sudo_conv_t sudo_conv;
 sudo_printf_t sudo_printf;
+int sudo_mode;
 
 static char *runas_user;
 static char *runas_group;
@@ -158,8 +159,6 @@ char **NewArgv;
 /* error.c */
 extern sigjmp_buf error_jmp;
 
-static int sudo_mode;
-
 static int
 sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
     sudo_printf_t plugin_printf, char * const settings[],
@@ -437,7 +436,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
        def_env_reset = FALSE;
 
     /* Build a new environment that avoids any nasty bits. */
-    rebuild_env(sudo_mode, def_noexec);
+    rebuild_env(def_noexec);
 
     /* Fill in passwd struct based on user we are authenticating as.  */
     auth_pw = get_authpw();

diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index f2ec62eb4990eae193b52d0be45b2070c3302947..5b726af6af15a625742bd5f3bc2ec00df48bff30 100644 (file)
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -290,7 +290,7 @@ void env_init(char * const envp[]);
 void init_envtables(void);
 void insert_env_vars(char * const envp[]);
 void read_env_file(const char *, int);
-void rebuild_env(int, int);
+void rebuild_env(int);
 void validate_env_vars(char * const envp[]);
 
 /* fmt_string.c */
@@ -315,6 +315,7 @@ int group_plugin_query(const char *user, const char *group,
 extern struct sudo_user sudo_user;
 extern struct passwd *auth_pw, *list_pw;
 extern int long_list;
+extern int sudo_mode;
 extern uid_t timestamp_uid;
 extern sudo_conv_t sudo_conv;
 extern sudo_printf_t sudo_printf;