1 Fix for |
1 Fix for |
2 17617070 sudo does not use pam_setcred correctly to set the audit context |
2 17617070 sudo does not use pam_setcred correctly to set the audit context |
3 |
3 |
4 This fix will be submitted upstream to the latest sudo release, |
4 This fix is submitted as http://www.sudo.ws/bugs/show_bug.cgi?id=642 |
5 currently 1.8.10p2. |
|
6 |
5 |
7 diff -ru sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c sudo-1.8.6p7/plugins/sudoers/auth/pam.c |
6 Sudo 1.8.9p5 has another problem, pam_setcred configuration option is not |
8 --- sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c Mon Feb 25 11:42:44 2013 |
7 enabled by default despite what is said in sudoers(4). Fix for that is |
9 +++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c Mon Oct 21 13:32:27 2013 |
8 accumulated in this patch as it will be submitted together with the |
10 @@ -229,8 +229,10 @@ |
9 PAM_REINITIALIZE_CRED fix. |
11 * for the setcred module. Because we haven't called pam_authenticate(), |
10 |
12 * this is not set and so pam_setcred() returns PAM_PERM_DENIED. |
11 --- sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:25:08.979359126 +0100 |
13 * We can't call pam_acct_mgmt() with Linux-PAM for a similar reason. |
12 +++ sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:24:43.823180676 +0100 |
|
13 @@ -236,9 +236,11 @@ |
|
14 * PAM_SUCCESS from another. For example, given a non-local user, |
|
15 * pam_unix will fail but pam_ldap or pam_sss may succeed, but if |
|
16 * pam_unix is first in the stack, pam_setcred() will fail. |
14 + * |
17 + * |
15 + * Reinitialize credentials when changing a user. |
18 + * Reinitialize credentials when changing a user. |
16 */ |
19 */ |
17 - (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); |
20 if (def_pam_setcred) |
18 + (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED); |
21 - (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); |
|
22 + (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED); |
19 |
23 |
20 #ifdef HAVE_PAM_GETENVLIST |
24 if (def_pam_session) { |
21 /* |
25 *pam_status = pam_open_session(pamh, 0); |
|
26 --- sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:33:41.941482037 -0700 |
|
27 +++ sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:22:36.457133334 -0700 |
|
28 @@ -485,6 +485,7 @@ init_defaults(void) |
|
29 #endif |
|
30 def_editor = estrdup(EDITOR); |
|
31 def_set_utmp = true; |
|
32 + def_pam_setcred = true; |
|
33 |
|
34 /* Finally do the lists (currently just environment tables). */ |
|
35 init_envtables(); |