Use PAM_SILENT to prevent pam_lastlog from printing last login

information on RedHat except when explicitly running a shell.
Adapted from a patch from Nir Soffer.  Bug #867

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 87218914270eadee688b24c8898a52cc7baa50d4..129e4fee225a1c2dfceed7a4e79e4a5459313cd4 100644 (file)
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -347,7 +347,12 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
     }
 
     if (def_pam_session) {
-       rc = pam_open_session(pamh, 0);
+       /*
+        * We use PAM_SILENT to prevent pam_lastlog from printing last login
+        * information except when explicitly running a shell.
+        */
+       const bool silent = !ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL);
+       rc = pam_open_session(pamh, silent ? PAM_SILENT : 0);
        switch (rc) {
        case PAM_SUCCESS:
            break;