isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove PAM_TTY workaround for old, buggy PAM modules.

Browse Source 
In the past, some PAM modules assumed that PAM_TTY was set and would
misbehave (or crash) if not.  This was primarily obsolete versions
of Linux-PAM, so it should now be safe to remove this.  Setting
PAM_TTY to an empty string can cause its own set of issues.
GitHub issue #74
This commit is contained in:
Todd C. Miller
2022-01-05 10:59:27 -07:00
parent 8c42a29a1e
commit 1b72f138e3
1 changed files with 1 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
plugins/sudoers/auth/pam.c
View File

@@ -245,16 +245,7 @@ sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
"pam_set_item(pamh, PAM_RHOST, %s): %s", user_host, errstr); "pam_set_item(pamh, PAM_RHOST, %s): %s", user_host, errstr);
} }
} }
if (ttypath != NULL) {
#if defined(__LINUX_PAM__) || defined(__sun__)
/*
* Some PAM modules assume PAM_TTY is set and will misbehave (or crash)
* if it is not. Known offenders include pam_lastlog and pam_time.
*/
if (ttypath == NULL)
ttypath = "";
#endif
if (ttypath != NULL) { // -V547
rc = pam_set_item(pamh, PAM_TTY, ttypath); rc = pam_set_item(pamh, PAM_TTY, ttypath);
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
errstr = sudo_pam_strerror(pamh, rc); errstr = sudo_pam_strerror(pamh, rc);