base/SOURCES/sudo-1.8.23-pam_access-and-...

345 lines
11 KiB
Diff
Raw Permalink Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

unchanged:
--- b/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -210,59 +210,71 @@
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
+ int rc, status = AUTH_SUCCESS;
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
- switch (*pam_status) {
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (rc) {
case PAM_SUCCESS:
- debug_return_int(AUTH_SUCCESS);
+ break;
case PAM_AUTH_ERR:
log_warningx(0, N_("account validation failure, "
"is your account locked?"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_NEW_AUTHTOK_REQD:
/* Ignore if user is exempt from password restrictions. */
- if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ if (exempt) {
+ rc = *pam_status;
+ break;
+ }
/* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
- *pam_status = pam_chauthtok(pamh,
- PAM_CHANGE_EXPIRED_AUTHTOK);
- if (*pam_status == PAM_SUCCESS)
- debug_return_int(AUTH_SUCCESS);
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (rc == PAM_SUCCESS)
+ break;
+ if ((s = pam_strerror(pamh, rc)) == NULL)
s = "unknown error";
log_warningx(0,
N_("unable to change expired password: %s"), s);
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
case PAM_AUTHTOK_EXPIRED:
/* Ignore if user is exempt from password restrictions. */
- if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ if (exempt) {
+ rc = *pam_status;
+ break;
+ }
/* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_ACCT_EXPIRED:
log_warningx(0,
N_("Account expired or PAM config lacks an \"account\" "
"section for sudo, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_AUTHINFO_UNAVAIL:
case PAM_MAXTRIES:
case PAM_PERM_DENIED:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
default:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
}
+ *pam_status = rc;
+ debug_return_int(status);
}
int
unchanged:
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
of this manual. This flag is _o_f_f by default.
+ pam_acct_mgmt On systems that use PAM for authentication, ssuuddoo will
+ perform PAM account validation for the invoking user by
+ default. The actual checks performed depend on which
+ PAM modules are configured. If enabled, account
+ validation will be performed regardless of whether or
+ not a password is required. This flag is _o_n by
+ default.
+
+ This setting is only supported by version 1.8.28 or
+ higher.
+
pam_session On systems that use PAM for authentication, ssuuddoo will
create a new PAM session for the command to be run in.
Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM
unchanged:
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -2722,6 +2722,19 @@ This flag is
\fIoff\fR
by default.
.TP 18n
+pam_acct_mgmt
+On systems that use PAM for authentication,
+\fBsudo\fR
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.28 or higher.
+.TP 18n
pam_session
On systems that use PAM for authentication,
\fBsudo\fR
unchanged:
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -2560,6 +2560,18 @@ section at the end of this manual.
This flag is
.Em off
by default.
+.It pam_acct_mgmt
+On systems that use PAM for authentication,
+.Nm sudo
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.28 or higher.
.It pam_session
On systems that use PAM for authentication,
.Nm sudo
only in patch2:
unchanged:
--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100
+++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200
@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
- rc = pam_acct_mgmt(pamh, PAM_SILENT);
- switch (rc) {
- case PAM_SUCCESS:
- break;
- case PAM_AUTH_ERR:
- log_warningx(0, N_("account validation failure, "
- "is your account locked?"));
- status = AUTH_FATAL;
- break;
- case PAM_NEW_AUTHTOK_REQD:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt) {
- rc = *pam_status;
- break;
- }
- /* New password required, try to change it. */
- log_warningx(0, N_("Account or password is "
- "expired, reset your password and try again"));
- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (rc == PAM_SUCCESS)
- break;
- if ((s = pam_strerror(pamh, rc)) == NULL)
- s = "unknown error";
- log_warningx(0,
- N_("unable to change expired password: %s"), s);
- status = AUTH_FAILURE;
- break;
- case PAM_AUTHTOK_EXPIRED:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt) {
- rc = *pam_status;
- break;
- }
- /* Password expired, cannot be updated by user. */
- log_warningx(0,
- N_("Password expired, contact your system administrator"));
- status = AUTH_FATAL;
- break;
- case PAM_ACCT_EXPIRED:
- log_warningx(0,
- N_("Account expired or PAM config lacks an \"account\" "
- "section for sudo, contact your system administrator"));
- status = AUTH_FATAL;
- break;
- case PAM_AUTHINFO_UNAVAIL:
- case PAM_MAXTRIES:
- case PAM_PERM_DENIED:
- s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
- status = AUTH_FAILURE;
- break;
- default:
- s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
- status = AUTH_FATAL;
- break;
+ if (def_pam_acct_mgmt) {
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (rc) {
+ case PAM_SUCCESS:
+ break;
+ case PAM_AUTH_ERR:
+ log_warningx(0, N_("account validation failure, "
+ "is your account locked?"));
+ status = AUTH_FATAL;
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ /* Ignore if user is exempt from password restrictions. */
+ if (exempt) {
+ rc = *pam_status;
+ break;
+ }
+ /* New password required, try to change it. */
+ log_warningx(0, N_("Account or password is "
+ "expired, reset your password and try again"));
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (rc == PAM_SUCCESS)
+ break;
+ if ((s = pam_strerror(pamh, rc)) == NULL)
+ s = "unknown error";
+ log_warningx(0,
+ N_("unable to change expired password: %s"), s);
+ status = AUTH_FAILURE;
+ break;
+ case PAM_AUTHTOK_EXPIRED:
+ /* Ignore if user is exempt from password restrictions. */
+ if (exempt) {
+ rc = *pam_status;
+ break;
+ }
+ /* Password expired, cannot be updated by user. */
+ log_warningx(0,
+ N_("Password expired, contact your system administrator"));
+ status = AUTH_FATAL;
+ break;
+ case PAM_ACCT_EXPIRED:
+ log_warningx(0,
+ N_("Account expired or PAM config lacks an \"account\" "
+ "section for sudo, contact your system administrator"));
+ status = AUTH_FATAL;
+ break;
+ case PAM_AUTHINFO_UNAVAIL:
+ case PAM_MAXTRIES:
+ case PAM_PERM_DENIED:
+ s = pam_strerror(pamh, rc);
+ log_warningx(0, N_("PAM account management error: %s"),
+ s ? s : "unknown error");
+ status = AUTH_FAILURE;
+ break;
+ default:
+ s = pam_strerror(pamh, rc);
+ log_warningx(0, N_("PAM account management error: %s"),
+ s ? s : "unknown error");
+ status = AUTH_FATAL;
+ break;
+ }
+ *pam_status = rc;
}
- *pam_status = rc;
debug_return_int(status);
}
only in patch2:
unchanged:
--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200
+++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200
@@ -642,6 +642,7 @@ init_defaults(void)
if ((def_editor = strdup(EDITOR)) == NULL)
goto oom;
def_set_utmp = true;
+ def_pam_acct_mgmt = true;
def_pam_setcred = true;
def_syslog_maxlen = MAXSYSLOGLEN;
def_case_insensitive_user = true;
only in patch2:
unchanged:
--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200
@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't fork and wait for the command to finish, just exec it"),
NULL,
}, {
+ "pam_acct_mgmt", T_FLAG,
+ N_("Perform PAM account validation management"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
only in patch2:
unchanged:
--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200
@@ -230,6 +230,8 @@
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
#define I_CMND_NO_WAIT 115
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+#define I_PAM_ACCT_MGMT 116
+#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
enum def_tuple {
never,
only in patch2:
unchanged:
--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200
@@ -363,3 +363,6 @@ legacy_group_processing
cmnd_no_wait
T_FLAG
"Don't fork and wait for the command to finish, just exec it"
+pam_acct_mgmt
+ T_FLAG
+ "Perform PAM account validation management"