isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add pam_service and pam_login_service sudoers settings to control

Browse Source 
the service name passed to pam_start.
This commit is contained in:
Todd C. Miller
2013-08-06 11:01:36 -06:00
parent 385e20c7bc
commit 52954481e1
10 changed files with 263 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configure vendored
View File

@@ -659,6 +659,7 @@ EXEEXT
ac_ct_CC ac_ct_CC
CC CC
PLUGINDIR PLUGINDIR
pam_login_service
pam_session pam_session
editor editor
secure_path secure_path
@@ -2927,6 +2928,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
# #
@@ -2970,6 +2972,7 @@ sesh_file=/usr/local/libexec/sudo/sesh
nsswitch_conf=/etc/nsswitch.conf nsswitch_conf=/etc/nsswitch.conf
secure_path="not set" secure_path="not set"
pam_session=on pam_session=on
pam_login_service=sudo
PLUGINDIR=/usr/local/libexec/sudo PLUGINDIR=/usr/local/libexec/sudo
# #
# End initial values for man page substitution # End initial values for man page substitution
@@ -18914,6 +18917,7 @@ if test "${with_pam_login+set}" = set; then :
$as_echo_n "checking whether to use PAM login... " >&6; } $as_echo_n "checking whether to use PAM login... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; } $as_echo "yes" >&6; }
pam_login_service="sudo-i"
;; ;;
no) ;; no) ;;
*) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5 *) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5

3
configure.in
View File

@@ -122,6 +122,7 @@ AC_SUBST([netsvc_conf])
AC_SUBST([secure_path]) AC_SUBST([secure_path])
AC_SUBST([editor]) AC_SUBST([editor])
AC_SUBST([pam_session]) AC_SUBST([pam_session])
AC_SUBST([pam_login_service])
AC_SUBST([PLUGINDIR]) AC_SUBST([PLUGINDIR])
# #
# Begin initial values for man page substitution # Begin initial values for man page substitution
@@ -164,6 +165,7 @@ sesh_file=/usr/local/libexec/sudo/sesh
nsswitch_conf=/etc/nsswitch.conf nsswitch_conf=/etc/nsswitch.conf
secure_path="not set" secure_path="not set"
pam_session=on pam_session=on
pam_login_service=sudo
PLUGINDIR=/usr/local/libexec/sudo PLUGINDIR=/usr/local/libexec/sudo
# #
# End initial values for man page substitution # End initial values for man page substitution
@@ -2753,6 +2755,7 @@ if test ${with_pam-"no"} != "no"; then
yes) AC_DEFINE([HAVE_PAM_LOGIN]) yes) AC_DEFINE([HAVE_PAM_LOGIN])
AC_MSG_CHECKING(whether to use PAM login) AC_MSG_CHECKING(whether to use PAM login)
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
pam_login_service="sudo-i"
;; ;;
no) ;; no) ;;
*) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])

14
doc/sudoers.cat
View File

@@ -1375,6 +1375,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
supported. The path to the noexec file should now be supported. The path to the noexec file should now be
set in the sudo.conf(4) file. set in the sudo.conf(4) file.
pam_login_service
On systems that use PAM for authentication, this is the
service name used when the --ii option is specified. The
default value is ``sudo''. See the description of
_p_a_m___s_e_r_v_i_c_e for more information.
pam_service On systems that use PAM for authentication, the service
name specifies the PAM policy to apply. This usually
corresponds to an entry in the _p_a_m_._c_o_n_f file or a file
in the _/_e_t_c_/_p_a_m_._d directory. The default value is
``sudo''.
passprompt The default prompt to use when asking for a password; passprompt The default prompt to use when asking for a password;
can be overridden via the --pp option or the SUDO_PROMPT can be overridden via the --pp option or the SUDO_PROMPT
environment variable. The following percent (`%') environment variable. The following percent (`%')
@@ -2236,4 +2248,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.8 July 16, 2013 Sudo 1.8.8 Sudo 1.8.8 August 6, 2013 Sudo 1.8.8

353
doc/sudoers.man.in
View File

File diff suppressed because it is too large Load Diff

22
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd July 16, 2013 .Dd August 6, 2013
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -2661,6 +2661,26 @@ version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the The path to the noexec file should now be set in the
.Xr sudo.conf @mansectform@ .Xr sudo.conf @mansectform@
file. file.
.It pam_login_service
On systems that use PAM for authentication, this is the service
name used when the
.Fl i
option is specified.
The default value is
.Dq Li @pam_login_service@ .
See the description of
.Em pam_service
for more information.
.It pam_service
On systems that use PAM for authentication, the service name
specifies the PAM policy to apply.
This usually corresponds to an entry in the
.Pa pam.conf
file or a file in the
.Pa /etc/pam.d
directory.
The default value is
.Dq Li sudo .
.It passprompt .It passprompt
The default prompt to use when asking for a password; can be overridden via the The default prompt to use when asking for a password; can be overridden via the
.Fl p .Fl p

8
plugins/sudoers/auth/pam.c
View File

@@ -93,12 +93,8 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth)
if (auth != NULL) if (auth != NULL)
auth->data = (void *) &pam_status; auth->data = (void *) &pam_status;
pam_conv.conv = converse; pam_conv.conv = converse;
#ifdef HAVE_PAM_LOGIN pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
else
#endif
pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
if (pam_status != PAM_SUCCESS) { if (pam_status != PAM_SUCCESS) {
log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM")); log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM"));
debug_return_int(AUTH_FATAL); debug_return_int(AUTH_FATAL);

8
plugins/sudoers/def_data.c
View File

@@ -354,6 +354,14 @@ struct sudo_defs_types sudo_defs_table[] = {
"exec_background", T_FLAG, "exec_background", T_FLAG,
N_("Run commands on a pty in the background"), N_("Run commands on a pty in the background"),
NULL, NULL,
}, {
"pam_service", T_STR,
N_("PAM service name to use"),
NULL,
}, {
"pam_login_service", T_STR,
N_("PAM service name to use for login shells"),
NULL,
}, { }, {
"pam_session", T_FLAG, "pam_session", T_FLAG,
N_("Create a new PAM session for the command to run in"), N_("Create a new PAM session for the command to run in"),

12
plugins/sudoers/def_data.h
View File

@@ -164,10 +164,14 @@
#define I_LIMITPRIVS 81 #define I_LIMITPRIVS 81
#define def_exec_background (sudo_defs_table[82].sd_un.flag) #define def_exec_background (sudo_defs_table[82].sd_un.flag)
#define I_EXEC_BACKGROUND 82 #define I_EXEC_BACKGROUND 82
#define def_pam_session (sudo_defs_table[83].sd_un.flag) #define def_pam_service (sudo_defs_table[83].sd_un.str)
#define I_PAM_SESSION 83 #define I_PAM_SERVICE 83
#define def_maxseq (sudo_defs_table[84].sd_un.ival) #define def_pam_login_service (sudo_defs_table[84].sd_un.str)
#define I_MAXSEQ 84 #define I_PAM_LOGIN_SERVICE 84
#define def_pam_session (sudo_defs_table[85].sd_un.flag)
#define I_PAM_SESSION 85
#define def_maxseq (sudo_defs_table[86].sd_un.ival)
#define I_MAXSEQ 86
enum def_tuple { enum def_tuple {
never, never,

6
plugins/sudoers/def_data.in
View File

@@ -262,6 +262,12 @@ limitprivs
exec_background exec_background
T_FLAG T_FLAG
"Run commands on a pty in the background" "Run commands on a pty in the background"
pam_service
T_STR
"PAM service name to use"
pam_login_service
T_STR
"PAM service name to use for login shells"
pam_session pam_session
T_FLAG T_FLAG
"Create a new PAM session for the command to run in" "Create a new PAM session for the command to run in"

6
plugins/sudoers/defaults.c
View File

@@ -421,6 +421,12 @@ init_defaults(void)
def_env_reset = ENV_RESET; def_env_reset = ENV_RESET;
def_set_logname = true; def_set_logname = true;
def_closefrom = STDERR_FILENO + 1; def_closefrom = STDERR_FILENO + 1;
def_pam_service = estrdup("sudo");
#ifdef HAVE_PAM_LOGIN
def_pam_login_service = estrdup("sudo-i");
#else
def_pam_login_service = estrdup("sudo");
#endif
#ifdef NO_PAM_SESSION #ifdef NO_PAM_SESSION
def_pam_session = false; def_pam_session = false;
#else #else