From: Todd C. Miller Date: Sun, 24 Feb 2013 11:15:37 +0000 (-0500) Subject: Add pam_session sudoers option. X-Git-Tag: SUDO_1_8_7~1^2~202 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59692ad2828be6aebbbae80300a81811c15b9941;p=sudo Add pam_session sudoers option. --- diff --git a/configure b/configure index ae1472996..6ab9da295 100755 --- a/configure +++ b/configure @@ -659,6 +659,7 @@ EXEEXT ac_ct_CC CC PLUGINDIR +pam_session editor secure_path netsvc_conf @@ -2922,6 +2923,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -2963,6 +2965,7 @@ netsvc_conf=/etc/netsvc.conf noexec_file=/usr/local/libexec/sudo/sudo_noexec.so nsswitch_conf=/etc/nsswitch.conf secure_path="not set" +pam_session=on PLUGINDIR=/usr/local/libexec/sudo # # End initial values for man page substitution @@ -18771,16 +18774,17 @@ if test "${enable_pam_session+set}" = set; then : yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } ;; - no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - $as_echo "#define NO_PAM_SESSION 1" >>confdefs.h + $as_echo "#define NO_PAM_SESSION 1" >>confdefs.h - ;; - *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + pam_session=off + ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&5 $as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-pam-session: $enableval" >&2;} - ;; + ;; esac else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 diff --git a/configure.in b/configure.in index 510f5fa3e..c5642b83a 100644 --- a/configure.in +++ b/configure.in @@ -120,6 +120,7 @@ AC_SUBST([nsswitch_conf]) AC_SUBST([netsvc_conf]) AC_SUBST([secure_path]) AC_SUBST([editor]) +AC_SUBST([pam_session]) AC_SUBST([PLUGINDIR]) # # Begin initial values for man page substitution @@ -160,6 +161,7 @@ netsvc_conf=/etc/netsvc.conf noexec_file=/usr/local/libexec/sudo/sudo_noexec.so nsswitch_conf=/etc/nsswitch.conf secure_path="not set" +pam_session=on PLUGINDIR=/usr/local/libexec/sudo # # End initial values for man page substitution @@ -2773,12 +2775,13 @@ if test ${with_pam-"no"} != "no"; then [ case "$enableval" in yes) AC_MSG_RESULT(yes) ;; - no) AC_MSG_RESULT(no) - AC_DEFINE(NO_PAM_SESSION) - ;; - *) AC_MSG_RESULT(no) - AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval]) - ;; + no) AC_MSG_RESULT(no) + AC_DEFINE(NO_PAM_SESSION) + pam_session=off + ;; + *) AC_MSG_RESULT(no) + AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval]) + ;; esac], AC_MSG_RESULT(yes)) fi fi diff --git a/doc/sudoers.cat b/doc/sudoers.cat index f260e0bda..13bc3a3cf 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -809,9 +809,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS will not be automatically foregrounded. Some versions of the linux su(1) command behave this way. - This setting is only supported by ssuuddooeerrss plugin - version 1.8.7 or higher. It has no effect unless I/O - logging is enabled or the _u_s_e___p_t_y flag is enabled. + This setting is only supported by version 1.8.7 or + higher. It has no effect unless I/O logging is enabled + or the _u_s_e___p_t_y flag is enabled. env_editor If set, vviissuuddoo will use the value of the EDITOR or VISUAL environment variables before falling back on the @@ -1001,6 +1001,26 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end of this manual. This flag is _o_f_f by default. + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM + implementations or on operating systems where opening a + PAM session changes the utmp or wtmp files. If PAM + session support is disabled, resource limits may not be + updated for the command being run. This flag is _o_n by + default. + + This setting is only supported by version 1.8.7 or + higher. + + passprompt_override + The password prompt specified by _p_a_s_s_p_r_o_m_p_t will + normally only be used if the password prompt provided + by systems such as PAM matches the string + ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, + _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by + default. + path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to @@ -1011,14 +1031,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not allowed to run it, which can be confusing. This flag is _o_n by default. - passprompt_override - The password prompt specified by _p_a_s_s_p_r_o_m_p_t will - normally only be used if the password prompt provided - by systems such as PAM matches the string - ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, - _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by - default. - preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group @@ -1305,8 +1317,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS truncated to 2176782336. The default value is 2176782336. - This setting is only supported by ssuuddooeerrss plugin - version 1.8.7 or higher. + This setting is only supported by version 1.8.7 or + higher. noexec_file As of ssuuddoo version 1.8.1 this option is no longer supported. The path to the noexec file should now be @@ -2138,4 +2150,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 February 20, 2013 Sudo 1.8.7 +Sudo 1.8.7 February 24, 2013 Sudo 1.8.7 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 48ac73878..b07041904 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "February 20, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "February 24, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -1767,9 +1767,7 @@ Some versions of the linux su(1) command behave this way. .sp -This setting is only supported by -\fBsudoers\fR -plugin version 1.8.7 or higher. +This setting is only supported by version 1.8.7 or higher. It has no effect unless I/O logging is enabled or the \fIuse_pty\fR flag is enabled. @@ -2156,23 +2154,21 @@ This flag is \fIoff\fR by default. .TP 18n -path_info -Normally, -\fBsudo\fR -will tell the user when a command could not be -found in their -\fRPATH\fR -environment variable. -Some sites may wish to disable this as it could be used to gather -information on the location of executables that the normal user does -not have access to. -The disadvantage is that if the executable is simply not in the user's -\fRPATH\fR, +pam_session +On systems that use PAM for authentication, \fBsudo\fR -will tell the user that they are not allowed to run it, which can be confusing. +will create a new PAM session for the command to be run in. +Disabling +\fIpam_session\fR +may be needed on older PAM implementations or on operating systems where +opening a PAM session changes the utmp or wtmp files. +If PAM session support is disabled, resource limits may not be updated +for the command being run. This flag is -\fI@path_info@\fR +\fI@pam_session@\fR by default. +.sp +This setting is only supported by version 1.8.7 or higher. .TP 18n passprompt_override The password prompt specified by @@ -2189,6 +2185,24 @@ This flag is \fIoff\fR by default. .TP 18n +path_info +Normally, +\fBsudo\fR +will tell the user when a command could not be +found in their +\fRPATH\fR +environment variable. +Some sites may wish to disable this as it could be used to gather +information on the location of executables that the normal user does +not have access to. +The disadvantage is that if the executable is simply not in the user's +\fRPATH\fR, +\fBsudo\fR +will tell the user that they are not allowed to run it, which can be confusing. +This flag is +\fI@path_info@\fR +by default. +.TP 18n preserve_groups By default, \fBsudo\fR @@ -2743,9 +2757,7 @@ base 36 sequence number will be silently truncated to 2176782336. The default value is 2176782336. .sp -This setting is only supported by -\fBsudoers\fR -plugin version 1.8.7 or higher. +This setting is only supported by version 1.8.7 or higher. .TP 18n noexec_file As of diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 67b98f639..68efc84e4 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd February 20, 2013 +.Dd February 24, 2013 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1641,9 +1641,7 @@ Some versions of the linux .Xr su 1 command behave this way. .Pp -This setting is only supported by -.Nm sudoers -plugin version 1.8.7 or higher. +This setting is only supported by version 1.8.7 or higher. It has no effect unless I/O logging is enabled or the .Em use_pty flag is enabled. @@ -2015,23 +2013,21 @@ section at the end of this manual. This flag is .Em off by default. -.It path_info -Normally, -.Nm sudo -will tell the user when a command could not be -found in their -.Ev PATH -environment variable. -Some sites may wish to disable this as it could be used to gather -information on the location of executables that the normal user does -not have access to. -The disadvantage is that if the executable is simply not in the user's -.Ev PATH , +.It pam_session +On systems that use PAM for authentication, .Nm sudo -will tell the user that they are not allowed to run it, which can be confusing. +will create a new PAM session for the command to be run in. +Disabling +.Em pam_session +may be needed on older PAM implementations or on operating systems where +opening a PAM session changes the utmp or wtmp files. +If PAM session support is disabled, resource limits may not be updated +for the command being run. This flag is -.Em @path_info@ +.Em @pam_session@ by default. +.Pp +This setting is only supported by version 1.8.7 or higher. .It passprompt_override The password prompt specified by .Em passprompt @@ -2046,6 +2042,23 @@ will always be used. This flag is .Em off by default. +.It path_info +Normally, +.Nm sudo +will tell the user when a command could not be +found in their +.Ev PATH +environment variable. +Some sites may wish to disable this as it could be used to gather +information on the location of executables that the normal user does +not have access to. +The disadvantage is that if the executable is simply not in the user's +.Ev PATH , +.Nm sudo +will tell the user that they are not allowed to run it, which can be confusing. +This flag is +.Em @path_info@ +by default. .It preserve_groups By default, .Nm sudo @@ -2564,9 +2577,7 @@ base 36 sequence number will be silently truncated to 2176782336. The default value is 2176782336. .Pp -This setting is only supported by -.Nm sudoers -plugin version 1.8.7 or higher. +This setting is only supported by version 1.8.7 or higher. .It noexec_file As of .Nm sudo diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 5f0386492..0c1585ae0 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -251,13 +251,13 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth) } #endif /* HAVE_PAM_GETENVLIST */ -#ifndef NO_PAM_SESSION - status = pam_open_session(pamh, 0); - if (status != PAM_SUCCESS) { - (void) pam_end(pamh, status | PAM_DATA_SILENT); - pamh = NULL; + if (pam_session) { + status = pam_open_session(pamh, 0); + if (status != PAM_SUCCESS) { + (void) pam_end(pamh, status | PAM_DATA_SILENT); + pamh = NULL; + } } -#endif done: debug_return_int(status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE); @@ -276,9 +276,8 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth) * XXX - still needed now that session init is in parent? */ (void) pam_set_item(pamh, PAM_USER, pw->pw_name); -#ifndef NO_PAM_SESSION - (void) pam_close_session(pamh, PAM_SILENT); -#endif + if (pam_session) + (void) pam_close_session(pamh, PAM_SILENT); (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT); pamh = NULL; diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index b3001e7ed..c4a5dd103 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -354,6 +354,10 @@ struct sudo_defs_types sudo_defs_table[] = { "exec_background", T_FLAG, N_("Run commands on a pty in the background"), NULL, + }, { + "pam_session", T_FLAG, + N_("Create a new PAM session for the command to run in"), + NULL, }, { "maxseq", T_UINT, N_("Maximum I/O log sequence number"), diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 3b54fbba3..36fba1b61 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -164,8 +164,10 @@ #define I_LIMITPRIVS 81 #define def_exec_background (sudo_defs_table[82].sd_un.flag) #define I_EXEC_BACKGROUND 82 -#define def_maxseq (sudo_defs_table[83].sd_un.ival) -#define I_MAXSEQ 83 +#define def_pam_session (sudo_defs_table[83].sd_un.flag) +#define I_PAM_SESSION 83 +#define def_maxseq (sudo_defs_table[84].sd_un.ival) +#define I_MAXSEQ 84 enum def_tuple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 5842b292a..9f8ffa088 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -262,6 +262,9 @@ limitprivs exec_background T_FLAG "Run commands on a pty in the background" +pam_session + T_FLAG + "Create a new PAM session for the command to run in" maxseq T_UINT "Maximum I/O log sequence number" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 69ddeebc8..7e3493757 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -421,6 +421,11 @@ init_defaults(void) def_env_reset = ENV_RESET; def_set_logname = true; def_closefrom = STDERR_FILENO + 1; +#ifdef NO_PAM_SESSION + def_pam_session = false; +#else + def_pam_session = true; +#endif /* Syslog options need special care since they both strings and ints */ #if (LOGGING & SLOG_SYSLOG)