Add pam_service and pam_login_service sudoers settings to control

the service name passed to pam_start.
2013-08-06 11:01:36 -06:00
parent 385e20c7bc
commit 52954481e1
10 changed files with 263 additions and 173 deletions
--- a/4
+++ b/4
@@ -659,6 +659,7 @@ EXEEXT
 ac_ct_CC
 CC
 PLUGINDIR
+pam_login_service
 pam_session
 editor
 secure_path
@@ -2927,6 +2928,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}



+


 #
@@ -2970,6 +2972,7 @@ sesh_file=/usr/local/libexec/sudo/sesh
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
 pam_session=on
+pam_login_service=sudo
 PLUGINDIR=/usr/local/libexec/sudo
 #
 # End initial values for man page substitution
@@ -18914,6 +18917,7 @@ if test "${with_pam_login+set}" = set; then :
 $as_echo_n "checking whether to use PAM login... " >&6; }
 			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
+			pam_login_service="sudo-i"
 			;;
 	    no)		;;
 	    *)		as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
--- a/configure.in
+++ b/configure.in
@@ -122,6 +122,7 @@ AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
 AC_SUBST([editor])
 AC_SUBST([pam_session])
+AC_SUBST([pam_login_service])
 AC_SUBST([PLUGINDIR])
 #
 # Begin initial values for man page substitution
@@ -164,6 +165,7 @@ sesh_file=/usr/local/libexec/sudo/sesh
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
 pam_session=on
+pam_login_service=sudo
 PLUGINDIR=/usr/local/libexec/sudo
 #
 # End initial values for man page substitution
@@ -2753,6 +2755,7 @@ if test ${with_pam-"no"} != "no"; then
 	    yes)	AC_DEFINE([HAVE_PAM_LOGIN])
 			AC_MSG_CHECKING(whether to use PAM login)
 			AC_MSG_RESULT(yes)
+			pam_login_service="sudo-i"
 			;;
 	    no)		;;
 	    *)		AC_MSG_ERROR(["--with-pam-login does not take an argument."])
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1375,6 +1375,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                       supported.  The path to the noexec file should now be
                       set in the sudo.conf(4) file.

+     pam_login_service
+                       On systems that use PAM for authentication, this is the
+                       service name used when the --ii option is specified.  The
+                       default value is ``sudo''.  See the description of
+                       _p_a_m___s_e_r_v_i_c_e for more information.
+
+     pam_service       On systems that use PAM for authentication, the service
+                       name specifies the PAM policy to apply.  This usually
+                       corresponds to an entry in the _p_a_m_._c_o_n_f file or a file
+                       in the _/_e_t_c_/_p_a_m_._d directory.  The default value is
+                       ``sudo''.
+
     passprompt        The default prompt to use when asking for a password;
                       can be overridden via the --pp option or the SUDO_PROMPT
                       environment variable.  The following percent (`%')
@@ -2236,4 +2248,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.

-Sudo 1.8.8                       July 16, 2013                      Sudo 1.8.8
+Sudo 1.8.8                      August 6, 2013                      Sudo 1.8.8
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd July 16, 2013
+.Dd August 6, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2661,6 +2661,26 @@ version 1.8.1 this option is no longer supported.
 The path to the noexec file should now be set in the
 .Xr sudo.conf @mansectform@
 file.
+.It pam_login_service
+On systems that use PAM for authentication, this is the service
+name used when the
+.Fl i
+option is specified.
+The default value is
+.Dq Li @pam_login_service@ .
+See the description of
+.Em pam_service
+for more information.
+.It pam_service
+On systems that use PAM for authentication, the service name
+specifies the PAM policy to apply.
+This usually corresponds to an entry in the
+.Pa pam.conf
+file or a file in the
+.Pa /etc/pam.d
+directory.
+The default value is
+.Dq Li sudo .
 .It passprompt
 The default prompt to use when asking for a password; can be overridden via the
 .Fl p
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -93,12 +93,8 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth)
    if (auth != NULL)
 	auth->data = (void *) &pam_status;
    pam_conv.conv = converse;
-#ifdef HAVE_PAM_LOGIN
-    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
-	pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
-    else
-#endif
-	pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+    pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
+	def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
    if (pam_status != PAM_SUCCESS) {
 	log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM"));
 	debug_return_int(AUTH_FATAL);
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -354,6 +354,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"exec_background", T_FLAG,
 	N_("Run commands on a pty in the background"),
 	NULL,
+    }, {
+	"pam_service", T_STR,
+	N_("PAM service name to use"),
+	NULL,
+    }, {
+	"pam_login_service", T_STR,
+	N_("PAM service name to use for login shells"),
+	NULL,
    }, {
 	"pam_session", T_FLAG,
 	N_("Create a new PAM session for the command to run in"),
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -164,10 +164,14 @@
 #define I_LIMITPRIVS            81
 #define def_exec_background     (sudo_defs_table[82].sd_un.flag)
 #define I_EXEC_BACKGROUND       82
-#define def_pam_session         (sudo_defs_table[83].sd_un.flag)
-#define I_PAM_SESSION           83
-#define def_maxseq              (sudo_defs_table[84].sd_un.ival)
-#define I_MAXSEQ                84
+#define def_pam_service         (sudo_defs_table[83].sd_un.str)
+#define I_PAM_SERVICE           83
+#define def_pam_login_service   (sudo_defs_table[84].sd_un.str)
+#define I_PAM_LOGIN_SERVICE     84
+#define def_pam_session         (sudo_defs_table[85].sd_un.flag)
+#define I_PAM_SESSION           85
+#define def_maxseq              (sudo_defs_table[86].sd_un.ival)
+#define I_MAXSEQ                86

 enum def_tuple {
 	never,
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -262,6 +262,12 @@ limitprivs
 exec_background
 	T_FLAG
 	"Run commands on a pty in the background"
+pam_service
+	T_STR
+	"PAM service name to use"
+pam_login_service
+	T_STR
+	"PAM service name to use for login shells"
 pam_session
 	T_FLAG
 	"Create a new PAM session for the command to run in"
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -421,6 +421,12 @@ init_defaults(void)
    def_env_reset = ENV_RESET;
    def_set_logname = true;
    def_closefrom = STDERR_FILENO + 1;
+    def_pam_service = estrdup("sudo");
+#ifdef HAVE_PAM_LOGIN
+    def_pam_login_service = estrdup("sudo-i");
+#else
+    def_pam_login_service = estrdup("sudo");
+#endif
 #ifdef NO_PAM_SESSION
    def_pam_session = false;
 #else