From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 9 Oct 2007 00:04:48 +0000 (+0000)
Subject: Add --disable-pam-session configure option to disable calling
X-Git-Tag: SUDO_1_7_0~347
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5a04b3ff9da6ffa511f695b17c6d48c33f3f4220;p=sudo

Add --disable-pam-session configure option to disable calling
pam_{open,close}_session.  May work around bugs in some PAM
implementations.
---

diff --git a/INSTALL b/INSTALL
index 0b3bd22b3..0ffff85a0 100644
--- a/INSTALL
+++ b/INSTALL
@@ -252,6 +252,13 @@ Special features/options:
 	is to compile noexec support if libtool supports building
 	shared objects on your OS.
 
+  --disable-pam-session
+        Disable sudo's PAM session support.  This may be needed on
+        older PAM implementations or on operating systems where
+        opening a PAM session changes the utmp or wtmp files.  If
+        PAM session support is disabled, resource limits may not
+        be updatedin for command being run.
+
   --disable-root-mailer
 	By default sudo will run the mailer as root when tattling
 	on a user so as to prevent that user from killing the mailer.
diff --git a/auth/pam.c b/auth/pam.c
index 92a9f212a..7fb45b74c 100644
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -206,6 +206,7 @@ pam_prep_user(pw)
      */
     (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
 
+#ifndef NO_PAM_SESSION
     /*
      * To fully utilize PAM sessions we would need to keep a
      * sudo process around until the command exits.  However, we
@@ -217,6 +218,7 @@ pam_prep_user(pw)
 	return(AUTH_FAILURE);
     }
     (void) pam_close_session(pamh, 0);
+#endif
 
     if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
 	return(AUTH_SUCCESS);
diff --git a/config.h.in b/config.h.in
index 33d50e7a9..a97caf409 100644
--- a/config.h.in
+++ b/config.h.in
@@ -476,6 +476,9 @@
    sudo. */
 #undef NO_LECTURE
 
+/* Define to 1 if you don't want to use sudo's PAM session support. */
+#undef NO_PAM_SESSION
+
 /* Define to avoid runing the mailer as root. */
 #undef NO_ROOT_MAILER
 
diff --git a/configure.in b/configure.in
index 4c42c23e4..f4fb629e7 100644
--- a/configure.in
+++ b/configure.in
@@ -1810,6 +1810,19 @@ if test ${with_pam-"no"} != "no"; then
 	AC_DEFINE(HAVE_PAM)
 	AUTH_OBJS="$AUTH_OBJS pam.o";
 	AUTH_EXCL=PAM
+	AC_MSG_CHECKING(whether to use PAM session support)
+	AC_ARG_ENABLE(pam_session,
+	[  --disable-pam-session   Disable PAM session support],
+	    [ case "$enableval" in
+		yes)	AC_MSG_RESULT(yes)
+			;;
+		no)		AC_MSG_RESULT(no)
+			    AC_DEFINE(NO_PAM_SESSION)
+			    ;;
+		*)		AC_MSG_RESULT(no)
+			    AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
+			    ;;
+	    esac], AC_MSG_RESULT(yes))
     fi
 fi