[sudo-users] pam session
Karel Zak
kzak at redhat.com
Tue May 24 12:58:11 EDT 2005
On Tue, 2005-05-24 at 10:12 -0600, Todd C. Miller wrote:
> In message <1116926417.4053.14.camel at petra>
> so spake Karel Zak (kzak):
>
> > is there any real reason why 'sudo' doesn't use PAM session? It means
> > the code doesn't call pam_open_session() and pam_close_sesssion().
>
> This would require that the sudo process spawn a command and wait
> until it finishes instead of just exec()ing the command as it does
> now.
Yes and no :-) It depends on PAM session modules.
An example system limits (by pam_limits) are persistent after
pam_close_session(). It means you can use code like:
pam_open_session(pamh, 0);
pam_close_session(pamh, 0);
and now you have set all system limits for actual process and all
children processes.
I think it better support at least some PAM session modules that ignore
everything.
Karel
--- sudo-1.6.8p8/auth/pam.c.sess 2005-05-24 16:38:35.976866872 +0200
+++ sudo-1.6.8p8/auth/pam.c 2005-05-24 16:39:50.061604280 +0200
@@ -175,6 +175,8 @@
pam_prep_user(pw)
struct passwd *pw;
{
+ int error;
+
if (pamh == NULL)
pam_init(pw, NULL, NULL);
@@ -195,6 +197,20 @@
*/
(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ /*
+ * That's enough initialize PAM session in this function, because
+ * sudo calls it before exec()
+ */
+ if ((error = pam_open_session(pamh, 0))!=PAM_SUCCESS) {
+ pam_end(pamh, error);
+ return(AUTH_FAILURE);
+ }
+ /*
+ * For example settings from pam_limits are persistent after
pam_session_close() and
+ * it's probably more clean call pam_close_session() than omit it.
+ */
+ pam_close_session(pamh, 0);
+
if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
return(AUTH_SUCCESS);
else
--
Karel Zak <kzak at redhat.com>
More information about the sudo-users
mailing list