isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors from

Browse Source 
pam_acct_mgmt() if authentication is disabled for the user.
Bug #843
This commit is contained in:
Todd C. Miller
2018-07-26 12:31:29 -06:00
parent dc1e0e7168
commit 394524fd5d
6 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/auth/bsdauth.c
View File

@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
}
int
bsdauth_approval(struct passwd *pw, sudo_auth *auth)
bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
struct bsdauth_state *state = auth->data;
debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH)

10
plugins/sudoers/auth/pam.c
View File

@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
}
int
sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
int *pam_status = (int *) auth->data;
@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
"is your account locked?"));
debug_return_int(AUTH_FATAL);
case PAM_NEW_AUTHTOK_REQD:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
debug_return_int(AUTH_SUCCESS);
/* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
*pam_status = pam_chauthtok(pamh,
@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
N_("unable to change expired password: %s"), s);
debug_return_int(AUTH_FAILURE);
case PAM_AUTHTOK_EXPIRED:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
debug_return_int(AUTH_SUCCESS);
/* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
debug_return_int(AUTH_FATAL);

4
plugins/sudoers/auth/sudo_auth.c
View File

@@ -168,7 +168,7 @@ sudo_auth_init(struct passwd *pw)
* Returns true on success, false on failure and -1 on error.
*/
int
sudo_auth_approval(struct passwd *pw, int validated)
sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
{
sudo_auth *auth;
debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH)
@@ -176,7 +176,7 @@ sudo_auth_approval(struct passwd *pw, int validated)
/* Call approval routines. */
for (auth = auth_switch; auth->name; auth++) {
if (auth->approval && !IS_DISABLED(auth)) {
int status = (auth->approval)(pw, auth);
int status = (auth->approval)(pw, auth, exempt);
if (status != AUTH_SUCCESS) {
/* Assume error msg already printed. */
log_auth_failure(validated, 0);

6
plugins/sudoers/auth/sudo_auth.h
View File

@@ -31,7 +31,7 @@ typedef struct sudo_auth {
int (*init)(struct passwd *pw, struct sudo_auth *auth);
int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth);
int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);
int (*approval)(struct passwd *pw, struct sudo_auth *auth);
int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt);
int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);
int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv;
/* Prototypes for standalone methods */
int bsdauth_init(struct passwd *pw, sudo_auth *auth);
int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
int bsdauth_approval(struct passwd *pw, sudo_auth *auth);
int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);
@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
int sudo_pam_approval(struct passwd *pw, sudo_auth *auth);
int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth);

4
plugins/sudoers/check.c
View File

@@ -175,6 +175,7 @@ check_user(int validated, int mode)
{
struct passwd *auth_pw;
int ret = -1;
bool exempt = false;
debug_decl(check_user, SUDOERS_DEBUG_AUTH)
/*
@@ -194,6 +195,7 @@ check_user(int validated, int mode)
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
!def_authenticate ? "authentication disabled" :
"user exempt from authentication");
exempt = true;
ret = true;
goto done;
}
@@ -218,7 +220,7 @@ check_user(int validated, int mode)
done:
if (ret == true) {
/* The approval function may disallow a user post-authentication. */
ret = sudo_auth_approval(auth_pw, validated);
ret = sudo_auth_approval(auth_pw, validated, exempt);
}
sudo_auth_cleanup(auth_pw);
sudo_pw_delref(auth_pw);

2
plugins/sudoers/sudoers.h
View File

@@ -264,7 +264,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv
int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
int sudo_auth_end_session(struct passwd *pw);
int sudo_auth_init(struct passwd *pw);
int sudo_auth_approval(struct passwd *pw, int validated);
int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
int sudo_auth_cleanup(struct passwd *pw);
/* set_perms.c */