From: Todd C. Miller Date: Tue, 22 Mar 2016 22:31:28 +0000 (-0600) Subject: If the auth_type setting in /etc/security/login.cfg is set to X-Git-Tag: SUDO_1_8_17^2~135 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b2d1c457ce01752d3e77acb944d024946006190e;p=sudo If the auth_type setting in /etc/security/login.cfg is set to PAM_AUTH but pam_start() fails, fall back to use AIX authentication. Skip the auth_type check if sudo is not compiled with PAM support. --- diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index 78c4f6086..bd55dbcf8 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -44,9 +44,10 @@ * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm */ -#define AIX_AUTH_UNKNOWN 0 -#define AIX_AUTH_STD 1 -#define AIX_AUTH_PAM 2 +#ifdef HAVE_PAM +# define AIX_AUTH_UNKNOWN 0 +# define AIX_AUTH_STD 1 +# define AIX_AUTH_PAM 2 static int sudo_aix_authtype(void) @@ -115,15 +116,22 @@ sudo_aix_authtype(void) debug_return_int(authtype); } +#endif /* HAVE_PAM */ int sudo_aix_init(struct passwd *pw, sudo_auth *auth) { debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH) +#ifdef HAVE_PAM /* Check auth_type in /etc/security/login.cfg. */ - if (sudo_aix_authtype() == AIX_AUTH_PAM) - debug_return_int(AUTH_FAILURE); + if (sudo_aix_authtype() == AIX_AUTH_PAM) { + if (sudo_pam_init_quiet(pw, auth) == AUTH_SUCCESS) { + /* Fail AIX authentication so we can use PAM instead. */ + debug_return_int(AUTH_FAILURE); + } + } +#endif debug_return_int(AUTH_SUCCESS); } diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index abb193226..679f0c02a 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -83,19 +83,29 @@ static char *def_prompt = PASSPROMPT; static bool getpass_error; static pam_handle_t *pamh; -int -sudo_pam_init(struct passwd *pw, sudo_auth *auth) +static int +sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet) { - static int pam_status; + static int pam_status = PAM_SUCCESS; int rc; debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH) + /* Stash pointer to last pam status. */ + auth->data = &pam_status; + +#ifdef _AIX + if (pamh != NULL) { + /* Already initialized (may happen with AIX). */ + debug_return_int(AUTH_SUCCESS); + } +#endif /* _AIX */ + /* Initial PAM setup */ - auth->data = (void *) &pam_status; pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ? def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { - log_warning(0, N_("unable to initialize PAM")); + if (!quiet) + log_warning(0, N_("unable to initialize PAM")); debug_return_int(AUTH_FATAL); } @@ -143,6 +153,20 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth) debug_return_int(AUTH_SUCCESS); } +int +sudo_pam_init(struct passwd *pw, sudo_auth *auth) +{ + return sudo_pam_init2(pw, auth, false); +} + +#ifdef _AIX +int +sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth) +{ + return sudo_pam_init2(pw, auth, true); +} +#endif /* _AIX */ + int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) { diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 028c1ce31..e88435580 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -64,6 +64,7 @@ int sudo_fwtk_init(struct passwd *pw, sudo_auth *auth); int sudo_fwtk_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth); int sudo_pam_init(struct passwd *pw, sudo_auth *auth); +int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth); int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth); int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);