[sudo-users] help with HPUX

Todd C. Miller Todd.Miller at sudo.ws
Mon Apr 8 08:27:21 MDT 2019 

On Mon, 08 Apr 2019 09:47:01 -0000, Serbec Robar Irena wrote:

> We use sudo on HPUX servers for years now.
>
> 1. We mostly use it in a background inside scripts which are
> executed by users who execute "ssh script" from remote servers
> (using keys).  It worked just fine with settings "!requiretty,
> !pam_session" for versions up to 1.8.20p.

> Higher versions of sudo return "PAM account management error: General
> Commercial Security error"
>
> As we already explicity require no pam_session, I'm at lost what to do.
>
> It works fine if you trigger ssh with "-t" option,
> But as users are not from our company, it is hard to request change from all 
> of them.

Sudo sets PAM_TTY to the empty string when no tty is present to
work around bugs in some PAM modules.  I believe this is what is
causing your problem and it explains why sudo run via "ssh -t"
works.  OpenSSH had a similar problem a while back.

Can you try the following patch?  I can also build an HP-UX package
with the change if you need it.  Just let me know for what version
of HP-UX.  This should also allow you to remove your "!pam_session"
workaround.

 - todd

diff -r 6b5fa2805840 plugins/sudoers/auth/pam.c
--- a/plugins/sudoers/auth/pam.c	Mon Mar 18 14:08:21 2019 -0600
+++ b/plugins/sudoers/auth/pam.c	Mon Apr 08 08:22:13 2019 -0600
@@ -92,6 +92,7 @@ static int
 sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
 {
     static int pam_status = PAM_SUCCESS;
+    const char *tty = user_ttypath;
     int rc;
     debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH)
 
@@ -135,17 +136,22 @@ sudo_pam_init2(struct passwd *pw, sudo_a
     }
 #endif
 
+#if defined(__LINUX_PAM__) || defined(__sun__)
     /*
-     * Some versions of pam_lastlog have a bug that
-     * will cause a crash if PAM_TTY is not set so if
-     * there is no tty, set PAM_TTY to the empty string.
+     * Some PAM modules assume PAM_TTY is set and will misbehave (or crash)
+     * if it is not.  Known offenders include pam_lastlog and pam_time.
      */
-    rc = pam_set_item(pamh, PAM_TTY, user_ttypath ? user_ttypath : "");
-    if (rc != PAM_SUCCESS) {
-	const char *errstr = pam_strerror(pamh, rc);
-	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-	    "pam_set_item(pamh, PAM_TTY, %s): %s",
-	    user_ttypath ? user_ttypath : "", errstr ? errstr : "unknown error");
+    if (tty == NULL)
+	tty = "";
+#endif
+    if (tty != NULL) {
+	rc = pam_set_item(pamh, PAM_TTY, tty);
+	if (rc != PAM_SUCCESS) {
+	    const char *errstr = pam_strerror(pamh, rc);
+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+		"pam_set_item(pamh, PAM_TTY, %s): %s", tty,
+		errstr ? errstr : "unknown error");
+	}
     }
 
     /*

More information about the sudo-users mailing list