[sudo-users] disabling sudo fork-ing

Ciprian Dorin, Craciun ciprian.craciun at gmail.com
Tue Sep 14 07:30:21 EDT 2010


On Fri, Aug 20, 2010 at 18:04, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
> In message <AANLkTi=t7Vd8MjdSwXaEWuhKGnVVwrVON9f8DBm+iENu at mail.gmail.com>
>        so spake "Ciprian Dorin, Craciun" (ciprian.craciun):
>
>>     Couldn't there also be a command line argument that forces this
>> disabling? (Because I doubt that the upstream ArchLinux maintainer
>> would accept the `--disable-pam-session` in the official builds...)
>
> Not without breaking the PAM session support.  Something needs to
> wait around to close the session after the command exits.  In the
> past sudo would open the session and immediately close it but this
> caused problems for some PAM modules.
>
> I'd much rather get to the bottom of whatever the actual signal
> issue is with running daemons via sudo using runit or daemontools.
>
>  - todd


    Hy! Again me bothering about the PAM session issue... (I've also
sent an email a few minutes ago cross-posting between the `runit` and
`sudo` mailing lists about an related bug.)

    But in this email (only on the `sudo` mailing list), I want to
stress out the need of a `--no-pam-session` flag when invoking `sudo`
(thus at "run-time" not at "build-time").

    I've previously met this need by using the `--disable-pam-session`
during compilation (complemented with a patch from Todd). But as I use
ArchLinux (a very active and bleeding edge distribution), it means
I'll have to (and I did had to) recompile my package each time a new
`sudo` release appears or each time the distribution rebuilds their
package. (Or I'll have to pin down a certain custom compiled version,
which means I'm left with no security updates.)

    And to be reasonable about this I can't rely on always being able
to recompile my own `sudo` version. (Think of a server on which I have
sudo rights only for certain applications.)

    Further more the change I'm asking doesn't break anything (either
backward or forward) I'm just asking for a flag that makes `sudo`
backward compatible with what it used to do in previous versions.
(That is to force `sudo` not to use PAM session.) (I'm not asking for
this behavior "by-default". I just want a way to ask for it at
run-time.)

    Thank you for your understanding.
    Ciprian.

    P.S.: If the `sudo` developers don't have time to make the change
I could supply a patch which solves my issue for review.



More information about the sudo-users mailing list