A new constant, SUDO_CONV_REPL_MAX, is defined by the plugin
API as the max conversation reply length. This constant can be
used as a max value for memset_s() when clearing passwords
filled in by the conversation function.
stacked PAM auth modules a failure from one module may override
PAM_SUCCESS from another. If the first module in the stack fails,
the others may be run (and succeed) but an error will be returned.
This can cause a spurious warning on systems with non-local users
(e.g. pam_ldap or pam_sss) where pam_unix is consulted first.
MAXHOSTNAMELEN and the MIN/MAX macros. We now use PATH_MAX and
HOST_NAME_MAX throughout without falling back on MAXPATHLEN or
MAXHOSTNAMELEN and define our own MIN/MAX macros as needed.
function so session setup can modify the user environment as needed.
For PAM authentication, merge the PAM environment with the user
environment at init_session time. We no longer need to swap in the
user_env for environ during session init, nor do we need to disable
the env hooks at init_session time.
to the target user immediately before setting resource limits, which
is after the monitor process has forked (so it has the old value).
Also, if the user did not authenticate, there is no pamh in the
monitor so we need to init pam here too. This means we end up
calling pam_start() twice, which should be fixed, but at least the
session is always properly closed now.
reading any further passwords in the pam conversation function.
Otherwise, if multiple PAM auth methods are required, the user will
have to hit ^C for each one.
Set adminstrative domain for the process when looking up user's
password or group info and when preparing for execve().
Include strings.h even if string.h exists since they may define
different things. Fixes warnings on AIX and others.
before the uid/gid/etc changes. A struct passwd pointer is passed in,which may be NULL if the user does not exist in the passwd database.The sudoers module uses init_session to open the pam session as needed.
