isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,868 Commits 1 Branch 0 Tags
0b506a2d07df25073f08975687ce6ea44c35d65b
Commit Graph

26 Commits

Author SHA1 Message Date
Todd C. Miller
13672f28df Make sudo pass -Wwrite-strings 2022-06-28 16:33:15 -06:00
Todd C. Miller
521ef37aea Push non-interactive mode checking down into the auth methods. 
For "sudo -n" we only want to reject a command if user input is
actually required.  In the case of PAM at least, we may not need
to interact with the user.  Bug #956, GitHub issue #83
 2022-01-04 18:57:36 -07:00
Todd C. Miller
ec3fdd3aa8 Add a force flag to sudo_auth_cleanup() to force immediate cleanup. 
This is used for PAM authentication to make sure pam_end() is called
via sudo_auth_cleanup() when the user authenticates successfully but
sudoers denies the command.  Debian bug #669687
 2020-04-01 14:41:38 -06:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
394524fd5d Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors from 
pam_acct_mgmt() if authentication is disabled for the user.
Bug #843
 2018-07-26 12:31:29 -06:00
Todd C. Miller
4c0c225062 Store passwd_timeout and timestamp_timeout as a struct timespec 
instead of as a float.  Remove timeout argument to auth_getpass()
as it was never used.
 2018-01-22 12:18:48 -07:00
Todd C. Miller
594c2d4efd Add an approval function to the sudo auth API which is run after 
the user's password has been verified.  The approval function is
run even if no password is required.  This is currently only used
for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
 2018-01-16 10:27:58 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
b2d1c457ce If the auth_type setting in /etc/security/login.cfg is set to 
PAM_AUTH but pam_start() fails, fall back to use AIX authentication.
Skip the auth_type check if sudo is not compiled with PAM support.
 2016-03-22 16:31:28 -06:00
Todd C. Miller
2ecda6d65c Use the auth_getpass (and the plugin conversation fuction) for Tru64 
SIA.  This prevents sudo from sleeping while holding the tty ticket
lock.
 2015-10-06 10:25:53 -06:00
Todd C. Miller
98a15d9879 Add a struct sudo_conv_callback that contains on_suspend and on_resume 
function pointer args plus a closure pointer and at it to the
conversation function.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
e11f32fd42 On AIX use the value of auth_type in /etc/security/login.cfg to 
determine whether to use LAM or PAM unless the user specified the
--with-pam or --with-aixauth configure flags.
 2015-02-23 11:12:43 -07:00
Todd C. Miller
4e3e5077e1 Remove unused FLAG_USER auth flag. We have no auth methods that 
require that authentication be run as the invoking user.
 2014-02-27 15:51:40 -07:00
Todd C. Miller
d6282d154a Update copyright years. 2013-04-24 09:35:02 -04:00
Todd C. Miller
6d10909949 Pass a pointer to user_env in to the init_session policy plugin 
function so session setup can modify the user environment as needed.
For PAM authentication, merge the PAM environment with the user
environment at init_session time.  We no longer need to swap in the
user_env for environ during session init, nor do we need to disable
the env hooks at init_session time.
 2012-03-15 09:18:36 -04:00
Todd C. Miller
6fd3e03857 Prefix authentication functions with a "sudo_" prefix to avoid 
namespace problems.
 2011-11-13 11:46:39 -05:00
Todd C. Miller
c86561e502 Remove the old Kerberos IV support 2011-11-13 09:12:43 -05:00
Todd C. Miller
bceb5df158 Modify the authentication API such that the init and cleanup functions 
are always called, regardless of whether or not we are going to
verify a password.  This is needed for proper PAM session support.
 2011-09-27 13:18:46 -04:00
Todd C. Miller
c5f8dc95c6 Fix a PAM_USER mismatch in session open/close. We update PAM_USER 
to the target user immediately before setting resource limits, which
is after the monitor process has forked (so it has the old value).
Also, if the user did not authenticate, there is no pamh in the
monitor so we need to init pam here too.  This means we end up
calling pam_start() twice, which should be fixed, but at least the
session is always properly closed now.
 2011-09-27 11:13:44 -04:00
Todd C. Miller
96cb890d53 No need to look up shadow password unless we are doing password-style 
authentication.  This moves the shadow password lookup to the auth
functions that need it.
 2010-08-06 13:55:33 -04:00
Todd C. Miller
b72a530fd0 Update copyright year 2010-06-14 12:19:49 -04:00
Todd C. Miller
b2ed46652b Clean up the sudoers auth API a bit and update the docs. 2010-05-27 14:53:11 -04:00
Todd C. Miller
27be96c9cd Add open/close session to sudo auth, only used by PAM. 
This allows us to open (and close) the PAM session from sudoers.
 2010-05-26 17:57:47 -04:00
Todd C. Miller
d5ae4c7d87 Kill __P in sudoers 2010-03-17 19:56:27 -04:00
Todd C. Miller
9b0205846b Initial bits of sudoers plugin; still needs work. 2010-03-14 19:58:47 -04:00
Todd C. Miller
e90fa482f9 Rework source layout in preparation for modular sudo. 2010-02-20 09:14:01 -05:00