From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 11 Aug 2015 02:17:02 +0000 (-0600)
Subject: In sudo_pam_begin_session() and sudo_pam_end_session() return
X-Git-Tag: SUDO_1_8_15^2~82
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b6085760cab794cbfd480ca9d81c04865d46a4d;p=sudo

In sudo_pam_begin_session() and sudo_pam_end_session() return
AUTH_FATAL on error, not AUTH_FAILURE.  In sudo_auth_begin_session()
treat anything other than AUTH_SUCCESS as a fatal error.
---

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 4cfbca909..ccd0d1ebc 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -279,7 +279,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
 		    "pam_end: %s", errstr ? errstr : "unknown error");
 	    }
 	    pamh = NULL;
-	    status = AUTH_FAILURE;
+	    status = AUTH_FATAL;
 	    goto done;
 	}
     }
@@ -295,7 +295,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
 	if (pam_envp != NULL) {
 	    /* Merge pam env with user env. */
 	    if (!env_init(*user_envp) || !env_merge(pam_envp))
-		status = AUTH_FAILURE;
+		status = AUTH_FATAL;
 	    *user_envp = env_get();
 	    (void)env_init(NULL);
 	    free(pam_envp);
@@ -348,7 +348,7 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
 	    const char *errstr = pam_strerror(pamh, rc);
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"pam_end: %s", errstr ? errstr : "unknown error");
-	    status = AUTH_FAILURE;
+	    status = AUTH_FATAL;
 	}
 	pamh = NULL;
     }
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
index 83bd08588..9b86f3855 100644
--- a/plugins/sudoers/auth/sudo_auth.c
+++ b/plugins/sudoers/auth/sudo_auth.c
@@ -342,11 +342,11 @@ sudo_auth_begin_session(struct passwd *pw, char **user_env[])
     for (auth = auth_switch; auth->name; auth++) {
 	if (auth->begin_session && !IS_DISABLED(auth)) {
 	    status = (auth->begin_session)(pw, user_env, auth);
-	    if (status == AUTH_FATAL)
+	    if (status != AUTH_SUCCESS)
 		break;		/* assume error msg already printed */
 	}
     }
-    debug_return_int(status == AUTH_FATAL ? -1 : 1);
+    debug_return_int(status == AUTH_SUCCESS ? 1 : -1);
 }
 
 bool