You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

104 lines
3.5 KiB

# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1544201494 25200
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
The fix for bug #843 was incomplete and caused pam_end() to be called early.
sudo_pam_approval() must not set the global pam status to an error
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
will call pam_end() before sudo_pam_begin_session(). This resulted
in a NULL PAM handle being used in sudo_pam_begin_session().
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
@@ -210,59 +210,68 @@
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
+ int rc, status = AUTH_SUCCESS;
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
- switch (*pam_status) {
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (rc) {
case PAM_SUCCESS:
- debug_return_int(AUTH_SUCCESS);
+ break;
case PAM_AUTH_ERR:
log_warningx(0, N_("account validation failure, "
"is your account locked?"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_NEW_AUTHTOK_REQD:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
- *pam_status = pam_chauthtok(pamh,
- PAM_CHANGE_EXPIRED_AUTHTOK);
- if (*pam_status == PAM_SUCCESS)
- debug_return_int(AUTH_SUCCESS);
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (rc == PAM_SUCCESS)
+ break;
+ if ((s = pam_strerror(pamh, rc)) == NULL)
s = "unknown error";
log_warningx(0,
N_("unable to change expired password: %s"), s);
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
case PAM_AUTHTOK_EXPIRED:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_ACCT_EXPIRED:
log_warningx(0,
N_("Account expired or PAM config lacks an \"account\" "
"section for sudo, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_AUTHINFO_UNAVAIL:
case PAM_MAXTRIES:
case PAM_PERM_DENIED:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
default:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
}
+ /* Ignore errors if user is exempt from password restrictions. */
+ *pam_status = exempt ? PAM_SUCCESS : rc;
+ debug_return_int(status);
}
int