Call pam_getenvlist() after we've opened the session to get the

session-specific environment variables.

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index b80190d7e83fb05288651dfd69049d36e4556663..ba4f9e55ff59aacc5ef19a4fe7b798390a8bbf4e 100644 (file)
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -240,6 +240,15 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
     if (def_pam_setcred)
        (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
 
+    if (def_pam_session) {
+       *pam_status = pam_open_session(pamh, 0);
+       if (*pam_status != PAM_SUCCESS) {
+           (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+           pamh = NULL;
+           status = AUTH_FAILURE;
+       }
+    }
+
 #ifdef HAVE_PAM_GETENVLIST
     /*
      * Update environment based on what is stored in pamh.
@@ -260,15 +269,6 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
     }
 #endif /* HAVE_PAM_GETENVLIST */
 
-    if (def_pam_session) {
-       *pam_status = pam_open_session(pamh, 0);
-       if (*pam_status != PAM_SUCCESS) {
-           (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
-           pamh = NULL;
-           status = AUTH_FAILURE;
-       }
-    }
-
 done:
     debug_return_int(status);
 }