Add support for a sudo-i pam.d file to be used for "sudo -i".

Adapted from a RedHat patch.

config.h.in

@@ -361,6 +361,9 @@
 /* Define to 1 if you use PAM authentication. */
 #undef HAVE_PAM
 
+/* Define to 1 if you use a specific PAM session for sudo -i. */
+#undef HAVE_PAM_LOGIN
+
 /* Define to 1 if you have the <pam/pam_appl.h> header file. */
 #undef HAVE_PAM_PAM_APPL_H
 

configure

@@ -1004,6 +1004,7 @@ enable_libtool_lock
 with_noexec
 with_netsvc
 enable_sia
+with_pam_login
 enable_pam_session
 '
       ac_precious_vars='build_alias
@@ -1747,6 +1748,7 @@ Optional Packages:
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-noexec=PATH      fully qualified pathname of sudo_noexec.so
   --with-netsvc[=PATH]    path to netsvc.conf
+  --with-pam-login        enable specific PAM session for sudo -i
 
 Some influential environment variables:
   CC          C compiler command
@@ -6928,13 +6930,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6931: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6933: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6934: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6936: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6937: output\"" >&5)
+  (eval echo "\"\$as_me:6939: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8139,7 +8141,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8142 "configure"' > conftest.$ac_ext
+  echo '#line 8144 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9400,11 +9402,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9403: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9405: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9407: \$? = $ac_status" >&5
+   echo "$as_me:9409: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9739,11 +9741,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9742: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9744: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9746: \$? = $ac_status" >&5
+   echo "$as_me:9748: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9844,11 +9846,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9847: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9849: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9851: \$? = $ac_status" >&5
+   echo "$as_me:9853: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9899,11 +9901,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9902: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9904: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9906: \$? = $ac_status" >&5
+   echo "$as_me:9908: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12266,7 +12268,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12269 "configure"
+#line 12271 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12362,7 +12364,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12365 "configure"
+#line 12367 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16161,6 +16163,25 @@ done
 
 	AUTH_OBJS="$AUTH_OBJS pam.lo";
 	AUTH_EXCL=PAM
+
+
+# Check whether --with-pam-login was given.
+if test "${with_pam_login+set}" = set; then :
+  withval=$with_pam_login; case $with_pam_login in
+	    yes)	$as_echo "#define HAVE_PAM_LOGIN 1" >>confdefs.h
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM login" >&5
+$as_echo_n "checking whether to use PAM login... " >&6; }
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+			;;
+	    no)		;;
+	    *)		as_fn_error "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
+			;;
+	esac
+fi
+
+
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use PAM session support" >&5
 $as_echo_n "checking whether to use PAM session support... " >&6; }
 	# Check whether --enable-pam_session was given.
@@ -16185,6 +16206,7 @@ else
 $as_echo "yes" >&6; }
 fi
 
+
 	case $host in
 	    *-*-linux*|*-*-solaris*)
 		    # dgettext() may be defined to dgettext_libintl in the
@@ -20497,5 +20519,6 @@ fi
 
 
 
+
 
 

configure.in

@@ -2100,6 +2100,18 @@ if test ${with_pam-"no"} != "no"; then
 	AC_DEFINE(HAVE_PAM)
 	AUTH_OBJS="$AUTH_OBJS pam.lo";
 	AUTH_EXCL=PAM
+
+	AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])],
+	[case $with_pam_login in
+	    yes)	AC_DEFINE([HAVE_PAM_LOGIN])
+			AC_MSG_CHECKING(whether to use PAM login)
+			AC_MSG_RESULT(yes)
+			;;
+	    no)		;;
+	    *)		AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+			;;
+	esac])
+
 	AC_MSG_CHECKING(whether to use PAM session support)
 	AC_ARG_ENABLE(pam_session,
 	[AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
@@ -2113,6 +2125,7 @@ if test ${with_pam-"no"} != "no"; then
 			    AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
 			    ;;
 	    esac], AC_MSG_RESULT(yes))
+
 	case $host in
 	    *-*-linux*|*-*-solaris*)
 		    # dgettext() may be defined to dgettext_libintl in the
@@ -2801,6 +2814,7 @@ AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
+AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])

plugins/sudoers/auth/pam.c

@@ -90,7 +90,12 @@ pam_init(struct passwd *pw, char **promptp, sudo_auth *auth)
     if (auth != NULL)
 	auth->data = (void *) &pam_status;
     pam_conv.conv = converse;
-    pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+	pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+    else
+#endif
+	pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
     if (pam_status != PAM_SUCCESS) {
 	log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
 	return(AUTH_FATAL);

plugins/sudoers/env.c

@@ -407,7 +407,7 @@ matches_env_keep(const char *var)
  * Also adds sudo-specific variables (SUDO_*).
  */
 void
-rebuild_env(int sudo_mode, int noexec)
+rebuild_env(int noexec)
 {
     char **old_envp, **ep, *cp, *ps1;
     char idbuf[MAX_UID_T_LEN];

plugins/sudoers/sudoers.c

@@ -146,6 +146,7 @@ char *login_style;
 sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
 sudo_conv_t sudo_conv;
 sudo_printf_t sudo_printf;
+int sudo_mode;
 
 static char *runas_user;
 static char *runas_group;
@@ -158,8 +159,6 @@ char **NewArgv;
 /* error.c */
 extern sigjmp_buf error_jmp;
 
-static int sudo_mode;
-
 static int
 sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
     sudo_printf_t plugin_printf, char * const settings[],
@@ -437,7 +436,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	def_env_reset = FALSE;
 
     /* Build a new environment that avoids any nasty bits. */
-    rebuild_env(sudo_mode, def_noexec);
+    rebuild_env(def_noexec);
 
     /* Fill in passwd struct based on user we are authenticating as.  */
     auth_pw = get_authpw();

plugins/sudoers/sudoers.h

@@ -290,7 +290,7 @@ void env_init(char * const envp[]);
 void init_envtables(void);
 void insert_env_vars(char * const envp[]);
 void read_env_file(const char *, int);
-void rebuild_env(int, int);
+void rebuild_env(int);
 void validate_env_vars(char * const envp[]);
 
 /* fmt_string.c */
@@ -315,6 +315,7 @@ int group_plugin_query(const char *user, const char *group,
 extern struct sudo_user sudo_user;
 extern struct passwd *auth_pw, *list_pw;
 extern int long_list;
+extern int sudo_mode;
 extern uid_t timestamp_uid;
 extern sudo_conv_t sudo_conv;
 extern sudo_printf_t sudo_printf;