[sudo-workers] NOPASSWD sudo and PAM
Daniel Kopeček
dkopecek at redhat.com
Mon Jan 15 05:59:13 MST 2018
On 01/12/2018 01:33 PM, Todd C. Miller wrote:
> On Fri, 12 Jan 2018 09:22:21 +0100, =?UTF-8?Q?Daniel_Kope=c4=8dek?= wrote:
>
>> is there a difference w.r.t. PAM stack interaction for NOPASSWD vs
>> PASSWD sudoers entries?
> If NOPASSWD is set or if the time stamp file allows the user to run
> commands without authentication then only the PAM session modules
> will be called. That means that pam_authenticate() is not called
> so the account modules will not be run.
>
> I'm not aware of a way to have the account module called without
> using pam_authenticate().
What about the pam_acct_mgmt API function?
According to the manual, this function is supposed to check the account
validity.
Would it make sense to call this function without calling
pam_authenticate in case of NOPASSWD (or !authenticate)?
Regards,
Daniel
More information about the sudo-workers
mailing list