Add --disable-pam-session configure option to disable calling

pam_{open,close}_session. May work around bugs in some PAM implementations.
2007-10-09 00:04:48 +00:00
parent f951605429
commit 5a04b3ff9d
4 changed files with 25 additions and 0 deletions
--- a/7
+++ b/7
@@ -252,6 +252,13 @@ Special features/options:
 	is to compile noexec support if libtool supports building
 	shared objects on your OS.

+  --disable-pam-session
+        Disable sudo's PAM session support.  This may be needed on
+        older PAM implementations or on operating systems where
+        opening a PAM session changes the utmp or wtmp files.  If
+        PAM session support is disabled, resource limits may not
+        be updatedin for command being run.
+
  --disable-root-mailer
 	By default sudo will run the mailer as root when tattling
 	on a user so as to prevent that user from killing the mailer.
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -206,6 +206,7 @@ pam_prep_user(pw)
     */
    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

+#ifndef NO_PAM_SESSION
    /*
     * To fully utilize PAM sessions we would need to keep a
     * sudo process around until the command exits.  However, we
@@ -217,6 +218,7 @@ pam_prep_user(pw)
 	return(AUTH_FAILURE);
    }
    (void) pam_close_session(pamh, 0);
+#endif

    if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
 	return(AUTH_SUCCESS);
--- a/config.h.in
+++ b/config.h.in
@@ -476,6 +476,9 @@
   sudo. */
 #undef NO_LECTURE

+/* Define to 1 if you don't want to use sudo's PAM session support. */
+#undef NO_PAM_SESSION
+
 /* Define to avoid runing the mailer as root. */
 #undef NO_ROOT_MAILER

--- a/configure.in
+++ b/configure.in
@@ -1810,6 +1810,19 @@ if test ${with_pam-"no"} != "no"; then
 	AC_DEFINE(HAVE_PAM)
 	AUTH_OBJS="$AUTH_OBJS pam.o";
 	AUTH_EXCL=PAM
+	AC_MSG_CHECKING(whether to use PAM session support)
+	AC_ARG_ENABLE(pam_session,
+	[  --disable-pam-session   Disable PAM session support],
+	    [ case "$enableval" in
+		yes)	AC_MSG_RESULT(yes)
+			;;
+		no)		AC_MSG_RESULT(no)
+			    AC_DEFINE(NO_PAM_SESSION)
+			    ;;
+		*)		AC_MSG_RESULT(no)
+			    AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
+			    ;;
+	    esac], AC_MSG_RESULT(yes))
    fi
 fi