From: Todd C. Miller Date: Mon, 8 Apr 2019 14:50:03 +0000 (-0600) Subject: Restrict the PAM_TTY kludge to Solaris and Linux-PAM. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f0910c01da5e9f24a71db8b359a46ae19ddc7005;p=sudo Restrict the PAM_TTY kludge to Solaris and Linux-PAM. Setting PAM_TTY to the empty string causes problems with some modules on HP-UX so restrict it to systems where it is fixes known issues. --- diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 129e4fee2..b45fb086e 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -92,6 +92,7 @@ static int sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet) { static int pam_status = PAM_SUCCESS; + const char *tty = user_ttypath; int rc; debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH) @@ -135,17 +136,22 @@ sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet) } #endif +#if defined(__LINUX_PAM__) || defined(__sun__) /* - * Some versions of pam_lastlog have a bug that - * will cause a crash if PAM_TTY is not set so if - * there is no tty, set PAM_TTY to the empty string. + * Some PAM modules assume PAM_TTY is set and will misbehave (or crash) + * if it is not. Known offenders include pam_lastlog and pam_time. */ - rc = pam_set_item(pamh, PAM_TTY, user_ttypath ? user_ttypath : ""); - if (rc != PAM_SUCCESS) { - const char *errstr = pam_strerror(pamh, rc); - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "pam_set_item(pamh, PAM_TTY, %s): %s", - user_ttypath ? user_ttypath : "", errstr ? errstr : "unknown error"); + if (tty == NULL) + tty = ""; +#endif + if (tty != NULL) { + rc = pam_set_item(pamh, PAM_TTY, tty); + if (rc != PAM_SUCCESS) { + const char *errstr = pam_strerror(pamh, rc); + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "pam_set_item(pamh, PAM_TTY, %s): %s", tty, + errstr ? errstr : "unknown error"); + } } /*