Fix a PAM_USER mismatch in session open/close. We update PAM_USER

to the target user immediately before setting resource limits, which is after the monitor process has forked (so it has the old value). Also, if the user did not authenticate, there is no pamh in the monitor so we need to init pam here too. This means we end up calling pam_start() twice, which should be fixed, but at least the session is always properly closed now.
2011-09-27 11:13:44 -04:00
parent 7304bc744e
commit c5f8dc95c6
4 changed files with 19 additions and 9 deletions
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -242,16 +242,26 @@ done:
 }

 int
-pam_end_session(sudo_auth *auth)
+pam_end_session(struct passwd *pw, sudo_auth *auth)
 {
    int status = PAM_SUCCESS;

-    if (pamh) {
 #ifndef NO_PAM_SESSION
-	(void) pam_close_session(pamh, PAM_SILENT);
+    /* If the user did not have to authenticate there is no pam handle yet. */
+    if (pamh == NULL)
+	pam_init(pw, NULL, NULL);
+
+    /*
+     * Update PAM_USER to reference the user we are running the command
+     * as to match the call to pam_open_session().
+     */
+    (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+
+    (void) pam_close_session(pamh, PAM_SILENT);
 #endif
+
+    if (pamh != NULL)
 	status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
-    }
    return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
 }