1 Fix for

     2 17617070 sudo does not use pam_setcred correctly to set the audit context

     3 

     4 This fix is submitted as http://www.sudo.ws/bugs/show_bug.cgi?id=642

     5 

     6 Sudo 1.8.9p5 has another problem, pam_setcred configuration option is not

     7 enabled by default despite what is said in sudoers(4). Fix for that is

     8 accumulated in this patch as it will be submitted together with the

     9 PAM_REINITIALIZE_CRED fix.

    10 

    11 --- sudo-1.8.9p5/plugins/sudoers/auth/pam.c	2014-02-07 10:25:08.979359126 +0100

    12 +++ sudo-1.8.9p5/plugins/sudoers/auth/pam.c	2014-02-07 10:24:43.823180676 +0100

    13 @@ -236,9 +236,11 @@

    14       * PAM_SUCCESS from another.  For example, given a non-local user,

    15       * pam_unix will fail but pam_ldap or pam_sss may succeed, but if

    16       * pam_unix is first in the stack, pam_setcred() will fail.

    17 +     *

    18 +     * Reinitialize credentials when changing a user.

    19       */

    20      if (def_pam_setcred)

    21 -	(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

    22 +	(void) pam_setcred(pamh, PAM_REINITIALIZE_CRED);

    23  

    24      if (def_pam_session) {

    25  	*pam_status = pam_open_session(pamh, 0);

    26 --- sudo-1.8.9p5/plugins/sudoers/defaults.c	2014-03-28 15:33:41.941482037 -0700

    27 +++ sudo-1.8.9p5/plugins/sudoers/defaults.c	2014-03-28 15:22:36.457133334 -0700

    28 @@ -485,6 +485,7 @@ init_defaults(void)

    29  #endif

    30      def_editor = estrdup(EDITOR);

    31      def_set_utmp = true;

    32 +    def_pam_setcred = true;

    33  

    34      /* Finally do the lists (currently just environment tables). */

    35      init_envtables();