author | Vladimir Marek <Vladimir.Marek@oracle.com> |
Thu, 10 Apr 2014 15:30:14 +0200 | |
changeset 1830 | 93243cb310c5 |
parent 1790 | 5185544d0b6e |
permissions | -rw-r--r-- |
1790
5185544d0b6e
16446717 add Solaris adt_*() auditing to sudo
April Chin <april.chin@oracle.com>
parents:
1518
diff
changeset
|
1 |
Fix for |
5185544d0b6e
16446717 add Solaris adt_*() auditing to sudo
April Chin <april.chin@oracle.com>
parents:
1518
diff
changeset
|
2 |
17617070 sudo does not use pam_setcred correctly to set the audit context |
5185544d0b6e
16446717 add Solaris adt_*() auditing to sudo
April Chin <april.chin@oracle.com>
parents:
1518
diff
changeset
|
3 |
|
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
4 |
This fix is submitted as http://www.sudo.ws/bugs/show_bug.cgi?id=642 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
5 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
6 |
Sudo 1.8.9p5 has another problem, pam_setcred configuration option is not |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
7 |
enabled by default despite what is said in sudoers(4). Fix for that is |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
8 |
accumulated in this patch as it will be submitted together with the |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
9 |
PAM_REINITIALIZE_CRED fix. |
1790
5185544d0b6e
16446717 add Solaris adt_*() auditing to sudo
April Chin <april.chin@oracle.com>
parents:
1518
diff
changeset
|
10 |
|
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
11 |
--- sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:25:08.979359126 +0100 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
12 |
+++ sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:24:43.823180676 +0100 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
13 |
@@ -236,9 +236,11 @@ |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
14 |
* PAM_SUCCESS from another. For example, given a non-local user, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
15 |
* pam_unix will fail but pam_ldap or pam_sss may succeed, but if |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
16 |
* pam_unix is first in the stack, pam_setcred() will fail. |
1518
4dc3f734af5e
17617070 sudo does not use pam_setcred correctly to set the audit context.
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
17 |
+ * |
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
18 |
+ * Reinitialize credentials when changing a user. |
1518
4dc3f734af5e
17617070 sudo does not use pam_setcred correctly to set the audit context.
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
19 |
*/ |
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
20 |
if (def_pam_setcred) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
21 |
- (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
22 |
+ (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED); |
1518
4dc3f734af5e
17617070 sudo does not use pam_setcred correctly to set the audit context.
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
23 |
|
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
24 |
if (def_pam_session) { |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
25 |
*pam_status = pam_open_session(pamh, 0); |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
26 |
--- sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:33:41.941482037 -0700 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
27 |
+++ sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:22:36.457133334 -0700 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
28 |
@@ -485,6 +485,7 @@ init_defaults(void) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
29 |
#endif |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
30 |
def_editor = estrdup(EDITOR); |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
31 |
def_set_utmp = true; |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
32 |
+ def_pam_setcred = true; |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
33 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
34 |
/* Finally do the lists (currently just environment tables). */ |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
1790
diff
changeset
|
35 |
init_envtables(); |