From: Todd C. Miller Date: Mon, 12 Jul 2010 21:57:53 +0000 (-0400) Subject: Add support for a sudo-i pam.d file to be used for "sudo -i". X-Git-Tag: SUDO_1_8_0~404 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d9de7b5f8e16d7f8e8be18c272e41b23b73247be;p=sudo Add support for a sudo-i pam.d file to be used for "sudo -i". Adapted from a RedHat patch. --- diff --git a/config.h.in b/config.h.in index 3e06e38a7..ce43f925a 100644 --- a/config.h.in +++ b/config.h.in @@ -361,6 +361,9 @@ /* Define to 1 if you use PAM authentication. */ #undef HAVE_PAM +/* Define to 1 if you use a specific PAM session for sudo -i. */ +#undef HAVE_PAM_LOGIN + /* Define to 1 if you have the header file. */ #undef HAVE_PAM_PAM_APPL_H diff --git a/configure b/configure index 0c25c6613..6cd41f63a 100755 --- a/configure +++ b/configure @@ -1004,6 +1004,7 @@ enable_libtool_lock with_noexec with_netsvc enable_sia +with_pam_login enable_pam_session ' ac_precious_vars='build_alias @@ -1747,6 +1748,7 @@ Optional Packages: --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-noexec=PATH fully qualified pathname of sudo_noexec.so --with-netsvc[=PATH] path to netsvc.conf + --with-pam-login enable specific PAM session for sudo -i Some influential environment variables: CC C compiler command @@ -6928,13 +6930,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6931: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6933: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6934: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6936: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6937: output\"" >&5) + (eval echo "\"\$as_me:6939: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8139,7 +8141,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8142 "configure"' > conftest.$ac_ext + echo '#line 8144 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9400,11 +9402,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9403: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9405: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9407: \$? = $ac_status" >&5 + echo "$as_me:9409: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9739,11 +9741,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9742: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9744: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9746: \$? = $ac_status" >&5 + echo "$as_me:9748: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9844,11 +9846,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9847: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9849: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9851: \$? = $ac_status" >&5 + echo "$as_me:9853: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9899,11 +9901,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9902: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9904: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9906: \$? = $ac_status" >&5 + echo "$as_me:9908: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12266,7 +12268,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12269 "configure" +#line 12271 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12362,7 +12364,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12365 "configure" +#line 12367 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -16161,6 +16163,25 @@ done AUTH_OBJS="$AUTH_OBJS pam.lo"; AUTH_EXCL=PAM + + +# Check whether --with-pam-login was given. +if test "${with_pam_login+set}" = set; then : + withval=$with_pam_login; case $with_pam_login in + yes) $as_echo "#define HAVE_PAM_LOGIN 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM login" >&5 +$as_echo_n "checking whether to use PAM login... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + ;; + no) ;; + *) as_fn_error "\"--with-pam-login does not take an argument.\"" "$LINENO" 5 + ;; + esac +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM session support" >&5 $as_echo_n "checking whether to use PAM session support... " >&6; } # Check whether --enable-pam_session was given. @@ -16185,6 +16206,7 @@ else $as_echo "yes" >&6; } fi + case $host in *-*-linux*|*-*-solaris*) # dgettext() may be defined to dgettext_libintl in the @@ -20497,5 +20519,6 @@ fi + diff --git a/configure.in b/configure.in index 38301f387..319f79081 100644 --- a/configure.in +++ b/configure.in @@ -2100,6 +2100,18 @@ if test ${with_pam-"no"} != "no"; then AC_DEFINE(HAVE_PAM) AUTH_OBJS="$AUTH_OBJS pam.lo"; AUTH_EXCL=PAM + + AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])], + [case $with_pam_login in + yes) AC_DEFINE([HAVE_PAM_LOGIN]) + AC_MSG_CHECKING(whether to use PAM login) + AC_MSG_RESULT(yes) + ;; + no) ;; + *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) + ;; + esac]) + AC_MSG_CHECKING(whether to use PAM session support) AC_ARG_ENABLE(pam_session, [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])], @@ -2113,6 +2125,7 @@ if test ${with_pam-"no"} != "no"; then AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval]) ;; esac], AC_MSG_RESULT(yes)) + case $host in *-*-linux*|*-*-solaris*) # dgettext() may be defined to dgettext_libintl in the @@ -2801,6 +2814,7 @@ AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.]) AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.]) AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.]) AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) +AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.]) AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file.]) AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 363b415b5..673aa5cd0 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -90,7 +90,12 @@ pam_init(struct passwd *pw, char **promptp, sudo_auth *auth) if (auth != NULL) auth->data = (void *) &pam_status; pam_conv.conv = converse; - pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); +#ifdef HAVE_PAM_LOGIN + if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) + pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); + else +#endif + pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); return(AUTH_FATAL); diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index 637b854d3..99ef0ff57 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -407,7 +407,7 @@ matches_env_keep(const char *var) * Also adds sudo-specific variables (SUDO_*). */ void -rebuild_env(int sudo_mode, int noexec) +rebuild_env(int noexec) { char **old_envp, **ep, *cp, *ps1; char idbuf[MAX_UID_T_LEN]; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 8c4033dde..5b1dcbc22 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -146,6 +146,7 @@ char *login_style; sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; sudo_conv_t sudo_conv; sudo_printf_t sudo_printf; +int sudo_mode; static char *runas_user; static char *runas_group; @@ -158,8 +159,6 @@ char **NewArgv; /* error.c */ extern sigjmp_buf error_jmp; -static int sudo_mode; - static int sudoers_policy_open(unsigned int version, sudo_conv_t conversation, sudo_printf_t plugin_printf, char * const settings[], @@ -437,7 +436,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], def_env_reset = FALSE; /* Build a new environment that avoids any nasty bits. */ - rebuild_env(sudo_mode, def_noexec); + rebuild_env(def_noexec); /* Fill in passwd struct based on user we are authenticating as. */ auth_pw = get_authpw(); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index f2ec62eb4..5b726af6a 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -290,7 +290,7 @@ void env_init(char * const envp[]); void init_envtables(void); void insert_env_vars(char * const envp[]); void read_env_file(const char *, int); -void rebuild_env(int, int); +void rebuild_env(int); void validate_env_vars(char * const envp[]); /* fmt_string.c */ @@ -315,6 +315,7 @@ int group_plugin_query(const char *user, const char *group, extern struct sudo_user sudo_user; extern struct passwd *auth_pw, *list_pw; extern int long_list; +extern int sudo_mode; extern uid_t timestamp_uid; extern sudo_conv_t sudo_conv; extern sudo_printf_t sudo_printf;