isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ignore PAM_SESSION_ERR from pam_open_session() since this can

Browse Source 
apparently happen on systems using Solaris-derived PAM.  Other
errors from pam_open_session() are treated as fatal.  This avoids
the "policy plugin failed session initialization" error message
seen on some systems.
This commit is contained in:
Todd C. Miller
2016-05-25 08:33:57 -06:00
parent 356e74e1db
commit 5e1084c08a
2 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@@ -37,6 +37,11 @@ What's new in Sudo 1.8.17
"visudo -x". This was never required by the standard and not "visudo -x". This was never required by the standard and not
escaping them improves readability of the output. escaping them improves readability of the output.
* Sudo no longer treats PAM_SESSION_ERR as a fatal error when
opening the PAM session. Other errors from pam_open_session()
are still treated as fatal. This avoids the "policy plugin
failed session initialization" error message seen on some systems.
What's new in Sudo 1.8.16 What's new in Sudo 1.8.16
* Fixed a compilation error on Solaris 10 with Stun Studio 12. * Fixed a compilation error on Solaris 10 with Stun Studio 12.

26
plugins/sudoers/auth/pam.c
View File

@@ -250,6 +250,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
{ {
int rc, status = AUTH_SUCCESS; int rc, status = AUTH_SUCCESS;
int *pam_status = (int *) auth->data; int *pam_status = (int *) auth->data;
const char *errstr;
debug_decl(sudo_pam_begin_session, SUDOERS_DEBUG_AUTH) debug_decl(sudo_pam_begin_session, SUDOERS_DEBUG_AUTH)
/* /*
@@ -261,7 +262,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
if (pamh != NULL) { if (pamh != NULL) {
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT); rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
const char *errstr = pam_strerror(pamh, rc); errstr = pam_strerror(pamh, rc);
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_end: %s", errstr ? errstr : "unknown error"); "pam_end: %s", errstr ? errstr : "unknown error");
} }
@@ -276,7 +277,7 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
*/ */
rc = pam_set_item(pamh, PAM_USER, pw->pw_name); rc = pam_set_item(pamh, PAM_USER, pw->pw_name);
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
const char *errstr = pam_strerror(pamh, rc); errstr = pam_strerror(pamh, rc);
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_set_item(pamh, PAM_USER, %s): %s", pw->pw_name, "pam_set_item(pamh, PAM_USER, %s): %s", pw->pw_name,
errstr ? errstr : "unknown error"); errstr ? errstr : "unknown error");
@@ -293,16 +294,29 @@ sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
if (def_pam_setcred) { if (def_pam_setcred) {
rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED); rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
const char *errstr = pam_strerror(pamh, rc); errstr = pam_strerror(pamh, rc);
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_setcred: %s", errstr ? errstr : "unknown error"); "pam_setcred: %s", errstr ? errstr : "unknown error");
} }
} }
if (def_pam_session) { if (def_pam_session) {
*pam_status = pam_open_session(pamh, 0); rc = pam_open_session(pamh, 0);
if (*pam_status != PAM_SUCCESS) { switch (rc) {
const char *errstr = pam_strerror(pamh, *pam_status); case PAM_SUCCESS:
break;
case PAM_SESSION_ERR:
/* Treat PAM_SESSION_ERR as a non-fatal error. */
errstr = pam_strerror(pamh, rc);
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"pam_open_session: %s", errstr ? errstr : "unknown error");
/* Avoid closing session that was not opened. */
def_pam_session = false;
break;
default:
/* Unexpected session failure, treat as fatal error. */
*pam_status = rc;
errstr = pam_strerror(pamh, *pam_status);
log_warningx(0, N_("%s: %s"), "pam_open_session", log_warningx(0, N_("%s: %s"), "pam_open_session",
errstr ? errstr : "unknown error"); errstr ? errstr : "unknown error");
rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT); rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);