[sudo-workers] PAM and return of init_session ignored ?

aurel aurel at aurel-r.fr
Mon Aug 10 17:16:00 MDT 2015 


On 10/08/2015 18:29, Todd C. Miller wrote:

> You should add some debugging to print the return value of
> pam_open_session() to make sure it is not actually returning
> PAM_SUCCESS.  If memory serves, when you have multiple session
> modules you can end up with PAM_SUCCESS as long as the later ones
> succeed.
>
>   - todd

After debugging, the return value of pam_open_session() is 14 (PAM_SESSION_ERR).
With multiple session modules, if one 'required' failed (before a 'sufficient'),
PAM will return an error to sudo.

In sudo_pam_begin_session(), status is set to 1 (AUTH_FAILURE) if an error is returned by pam_open_session()


pam.c

|sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)||
||{||
||	...||
||	if (def_pam_session) {
         *pam_status = pam_open_session(pamh, 0);
         if (*pam_status != PAM_SUCCESS) {  		 /* PAM_SUCCESS = 0  (PAM_SESSION_ERR = 14) */
             (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
             pamh = NULL;
             status = AUTH_FAILURE;  			 /* AUTH_FAILURE = 1 */
             goto done;
         }
     }
	...
	done:		
||  	    debug_return_int(status);||   /* return 1 */
||}|

The problem is in pam_auth.c.|  inside|sudo_auth_begin_session(), the return of sudo_pam_begin_session() is compared
with AUTH_FATAL whether there is an error. Problem: the error status is 1 and AUTH_FATAL is 3.
So, if module returned a success, it's ok, else, it's ok too.


pam_auth.c

int sudo_auth_begin_session(struct passwd *pw, char **user_env[])
{
     sudo_auth *auth;
     int status = AUTH_SUCCESS;
     debug_decl(sudo_auth_begin_session, SUDO_DEBUG_AUTH)

     for (auth = auth_switch; auth->name; auth++) {
         if (auth->begin_session && !IS_DISABLED(auth)) {
             status = (auth->begin_session)(pw, user_env, auth);  	/* call sudo_pam_begin_session */
             if (status == AUTH_FATAL) 		/* error status = 1 and AUTH_FATAL = 3,  module error will not be detected */
                 break;
         }
     }
     debug_return_int(status == AUTH_FATAL ? -1 : 1);  /* always return 1 */
}

The solution is to change in pam.c :
	status = AUTH_FAILURE;
To :
	status = AUTH_FAIL;


I await your opinion before making a patch

More information about the sudo-workers mailing list