[sudo-users] help with HPUX
Todd C. Miller
Todd.Miller at sudo.ws
Mon Apr 8 08:27:21 MDT 2019
On Mon, 08 Apr 2019 09:47:01 -0000, Serbec Robar Irena wrote:
> We use sudo on HPUX servers for years now.
>
> 1. We mostly use it in a background inside scripts which are
> executed by users who execute "ssh script" from remote servers
> (using keys). It worked just fine with settings "!requiretty,
> !pam_session" for versions up to 1.8.20p.
> Higher versions of sudo return "PAM account management error: General
> Commercial Security error"
>
> As we already explicity require no pam_session, I'm at lost what to do.
>
> It works fine if you trigger ssh with "-t" option,
> But as users are not from our company, it is hard to request change from all
> of them.
Sudo sets PAM_TTY to the empty string when no tty is present to
work around bugs in some PAM modules. I believe this is what is
causing your problem and it explains why sudo run via "ssh -t"
works. OpenSSH had a similar problem a while back.
Can you try the following patch? I can also build an HP-UX package
with the change if you need it. Just let me know for what version
of HP-UX. This should also allow you to remove your "!pam_session"
workaround.
- todd
diff -r 6b5fa2805840 plugins/sudoers/auth/pam.c
--- a/plugins/sudoers/auth/pam.c Mon Mar 18 14:08:21 2019 -0600
+++ b/plugins/sudoers/auth/pam.c Mon Apr 08 08:22:13 2019 -0600
@@ -92,6 +92,7 @@ static int
sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
{
static int pam_status = PAM_SUCCESS;
+ const char *tty = user_ttypath;
int rc;
debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH)
@@ -135,17 +136,22 @@ sudo_pam_init2(struct passwd *pw, sudo_a
}
#endif
+#if defined(__LINUX_PAM__) || defined(__sun__)
/*
- * Some versions of pam_lastlog have a bug that
- * will cause a crash if PAM_TTY is not set so if
- * there is no tty, set PAM_TTY to the empty string.
+ * Some PAM modules assume PAM_TTY is set and will misbehave (or crash)
+ * if it is not. Known offenders include pam_lastlog and pam_time.
*/
- rc = pam_set_item(pamh, PAM_TTY, user_ttypath ? user_ttypath : "");
- if (rc != PAM_SUCCESS) {
- const char *errstr = pam_strerror(pamh, rc);
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "pam_set_item(pamh, PAM_TTY, %s): %s",
- user_ttypath ? user_ttypath : "", errstr ? errstr : "unknown error");
+ if (tty == NULL)
+ tty = "";
+#endif
+ if (tty != NULL) {
+ rc = pam_set_item(pamh, PAM_TTY, tty);
+ if (rc != PAM_SUCCESS) {
+ const char *errstr = pam_strerror(pamh, rc);
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "pam_set_item(pamh, PAM_TTY, %s): %s", tty,
+ errstr ? errstr : "unknown error");
+ }
}
/*
More information about the sudo-users
mailing list