1 Fix for |
|
2 17617070 sudo does not use pam_setcred correctly to set the audit context |
|
3 |
|
4 This fix is submitted as http://www.sudo.ws/bugs/show_bug.cgi?id=642 |
|
5 |
|
6 Sudo 1.8.9p5 has another problem, pam_setcred configuration option is not |
|
7 enabled by default despite what is said in sudoers(4). Fix for that is |
|
8 accumulated in this patch as it will be submitted together with the |
|
9 PAM_REINITIALIZE_CRED fix. |
|
10 |
|
11 --- sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:25:08.979359126 +0100 |
|
12 +++ sudo-1.8.9p5/plugins/sudoers/auth/pam.c 2014-02-07 10:24:43.823180676 +0100 |
|
13 @@ -236,9 +236,11 @@ |
|
14 * PAM_SUCCESS from another. For example, given a non-local user, |
|
15 * pam_unix will fail but pam_ldap or pam_sss may succeed, but if |
|
16 * pam_unix is first in the stack, pam_setcred() will fail. |
|
17 + * |
|
18 + * Reinitialize credentials when changing a user. |
|
19 */ |
|
20 if (def_pam_setcred) |
|
21 - (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); |
|
22 + (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED); |
|
23 |
|
24 if (def_pam_session) { |
|
25 *pam_status = pam_open_session(pamh, 0); |
|
26 --- sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:33:41.941482037 -0700 |
|
27 +++ sudo-1.8.9p5/plugins/sudoers/defaults.c 2014-03-28 15:22:36.457133334 -0700 |
|
28 @@ -485,6 +485,7 @@ init_defaults(void) |
|
29 #endif |
|
30 def_editor = estrdup(EDITOR); |
|
31 def_set_utmp = true; |
|
32 + def_pam_setcred = true; |
|
33 |
|
34 /* Finally do the lists (currently just environment tables). */ |
|
35 init_envtables(); |
|