[sudo-workers] NOPASSWD sudo and PAM

Daniel Kopeček dkopecek at redhat.com
Mon Jan 15 05:59:13 MST 2018

On 01/12/2018 01:33 PM, Todd C. Miller wrote:

> On Fri, 12 Jan 2018 09:22:21 +0100, =?UTF-8?Q?Daniel_Kope=c4=8dek?= wrote:
>> is there a difference w.r.t. PAM stack interaction for NOPASSWD vs
>> PASSWD sudoers entries?
> If NOPASSWD is set or if the time stamp file allows the user to run
> commands without authentication then only the PAM session modules
> will be called.  That means that pam_authenticate() is not called
> so the account modules will not be run.
> I'm not aware of a way to have the account module called without
> using pam_authenticate().

What about the pam_acct_mgmt API function?
According to the manual, this function is supposed to check the account 
Would it make sense to call this function without calling 
pam_authenticate in case of NOPASSWD (or !authenticate)?


More information about the sudo-workers mailing list