From: Todd C. Miller Date: Tue, 6 Aug 2013 20:44:21 +0000 (-0600) Subject: Add pam_setcred sudoers option to allow the user to control whether X-Git-Tag: SUDO_1_8_8^2~91 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3898f5d7ff2cf51062764e7dff6c9fd160b15dc4;p=sudo Add pam_setcred sudoers option to allow the user to control whether pam_setcred() is called on the user's behalf. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index ae05c51f6..661be6288 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1048,12 +1048,27 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS implementations or on operating systems where opening a PAM session changes the utmp or wtmp files. If PAM session support is disabled, resource limits may not be - updated for the command being run. This flag is _o_n by - default. + updated for the command being run. If _p_a_m___s_e_s_s_i_o_n, + _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging + has not been configured, ssuuddoo will execute the command + directly instead of running it as a child process. + This flag is _o_n by default. This setting is only supported by version 1.8.7 or higher. + pam_setcred On systems that use PAM for authentication, ssuuddoo will + attempt to establish credentials for the target user by + default, if supported by the underlying authentication + system. One example of a credential is a Kerberos + ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are + disabled and I/O logging has not been configured, ssuuddoo + will execute the command directly instead of running it + as a child process. This flag is _o_n by default. + + This setting is only supported by version 1.8.8 or + higher. + passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will normally only be used if the password prompt provided @@ -1381,12 +1396,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS default value is ``sudo''. See the description of _p_a_m___s_e_r_v_i_c_e for more information. + This setting is only supported by version 1.8.8 or + higher. + pam_service On systems that use PAM for authentication, the service name specifies the PAM policy to apply. This usually corresponds to an entry in the _p_a_m_._c_o_n_f file or a file in the _/_e_t_c_/_p_a_m_._d directory. The default value is ``sudo''. + This setting is only supported by version 1.8.8 or + higher. + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 74bcef698..28581db28 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -2229,12 +2229,42 @@ may be needed on older PAM implementations or on operating systems where opening a PAM session changes the utmp or wtmp files. If PAM session support is disabled, resource limits may not be updated for the command being run. +If +\fIpam_session\fR, +\fIpam_setcred\fR, +and +\fIuse_pty\fR +are disabled and I/O logging has not been configured, +\fBsudo\fR +will execute the command directly instead of running it as a child +process. This flag is \fI@pam_session@\fR by default. .sp This setting is only supported by version 1.8.7 or higher. .TP 18n +pam_setcred +On systems that use PAM for authentication, +\fBsudo\fR +will attempt to establish credentials for the target user by default, +if supported by the underlying authentication system. +One example of a credential is a Kerberos ticket. +If +\fIpam_session\fR, +\fIpam_setcred\fR, +and +\fIuse_pty\fR +are disabled and I/O logging has not been configured, +\fBsudo\fR +will execute the command directly instead of running it as a child +process. +This flag is +\fIon\fR +by default. +.sp +This setting is only supported by version 1.8.8 or higher. +.TP 18n passprompt_override The password prompt specified by \fIpassprompt\fR @@ -2862,6 +2892,8 @@ The default value is See the description of \fIpam_service\fR for more information. +.sp +This setting is only supported by version 1.8.8 or higher. .TP 18n pam_service On systems that use PAM for authentication, the service name @@ -2873,6 +2905,8 @@ file or a file in the directory. The default value is ``\fRsudo\fR''. +.sp +This setting is only supported by version 1.8.8 or higher. .TP 18n passprompt The default prompt to use when asking for a password; can be overridden via the diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index ef8db9bb9..b23f32b97 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -2080,11 +2080,40 @@ may be needed on older PAM implementations or on operating systems where opening a PAM session changes the utmp or wtmp files. If PAM session support is disabled, resource limits may not be updated for the command being run. +If +.Em pam_session , +.Em pam_setcred , +and +.Em use_pty +are disabled and I/O logging has not been configured, +.Nm sudo +will execute the command directly instead of running it as a child +process. This flag is .Em @pam_session@ by default. .Pp This setting is only supported by version 1.8.7 or higher. +.It pam_setcred +On systems that use PAM for authentication, +.Nm sudo +will attempt to establish credentials for the target user by default, +if supported by the underlying authentication system. +One example of a credential is a Kerberos ticket. +If +.Em pam_session , +.Em pam_setcred , +and +.Em use_pty +are disabled and I/O logging has not been configured, +.Nm sudo +will execute the command directly instead of running it as a child +process. +This flag is +.Em on +by default. +.Pp +This setting is only supported by version 1.8.8 or higher. .It passprompt_override The password prompt specified by .Em passprompt @@ -2671,6 +2700,8 @@ The default value is See the description of .Em pam_service for more information. +.Pp +This setting is only supported by version 1.8.8 or higher. .It pam_service On systems that use PAM for authentication, the service name specifies the PAM policy to apply. @@ -2681,6 +2712,8 @@ file or a file in the directory. The default value is .Dq Li sudo . +.Pp +This setting is only supported by version 1.8.8 or higher. .It passprompt The default prompt to use when asking for a password; can be overridden via the .Fl p diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index f10e805eb..aa41ad955 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -119,6 +119,13 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth) else (void) pam_set_item(pamh, PAM_TTY, user_ttypath); + /* + * If PAM session and setcred support is disabled we don't + * need to keep a sudo process around to close the session. + */ + if (!def_pam_session && !def_pam_setcred) + auth->end_session = NULL; + debug_return_int(AUTH_SUCCESS); } @@ -189,8 +196,8 @@ sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth) int *pam_status = (int *) auth->data; debug_decl(sudo_pam_cleanup, SUDO_DEBUG_AUTH) - /* If successful, we can't close the session until pam_end_session() */ - if (*pam_status != PAM_SUCCESS) { + /* If successful, we can't close the session until sudo_pam_end_session() */ + if (*pam_status != PAM_SUCCESS || auth->end_session == NULL) { *pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT); pamh = NULL; } @@ -231,7 +238,8 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth) * pam_unix will fail but pam_ldap or pam_sss may succeed, but if * pam_unix is first in the stack, pam_setcred() will fail. */ - (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); + if (def_pam_setcred) + (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); #ifdef HAVE_PAM_GETENVLIST /* @@ -281,7 +289,8 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth) (void) pam_set_item(pamh, PAM_USER, pw->pw_name); if (def_pam_session) (void) pam_close_session(pamh, PAM_SILENT); - (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); + if (def_pam_setcred) + (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) != PAM_SUCCESS) status = AUTH_FAILURE; pamh = NULL; diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 3ba76481c..4fade6229 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -362,6 +362,10 @@ struct sudo_defs_types sudo_defs_table[] = { "pam_login_service", T_STR, N_("PAM service name to use for login shells"), NULL, + }, { + "pam_setcred", T_FLAG, + N_("Attempt to establish PAM credentials for the target user"), + NULL, }, { "pam_session", T_FLAG, N_("Create a new PAM session for the command to run in"), diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index f83bacf6a..3ee8f3e26 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -168,10 +168,12 @@ #define I_PAM_SERVICE 83 #define def_pam_login_service (sudo_defs_table[84].sd_un.str) #define I_PAM_LOGIN_SERVICE 84 -#define def_pam_session (sudo_defs_table[85].sd_un.flag) -#define I_PAM_SESSION 85 -#define def_maxseq (sudo_defs_table[86].sd_un.ival) -#define I_MAXSEQ 86 +#define def_pam_setcred (sudo_defs_table[85].sd_un.flag) +#define I_PAM_SETCRED 85 +#define def_pam_session (sudo_defs_table[86].sd_un.flag) +#define I_PAM_SESSION 86 +#define def_maxseq (sudo_defs_table[87].sd_un.ival) +#define I_MAXSEQ 87 enum def_tuple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 922e39fae..211c86c17 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -268,6 +268,9 @@ pam_service pam_login_service T_STR "PAM service name to use for login shells" +pam_setcred + T_FLAG + "Attempt to establish PAM credentials for the target user" pam_session T_FLAG "Create a new PAM session for the command to run in"