|
|
unchanged: |
|
|
--- b/plugins/sudoers/auth/pam.c |
|
|
+++ b/plugins/sudoers/auth/pam.c |
|
|
@@ -210,59 +210,71 @@ |
|
|
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) |
|
|
{ |
|
|
const char *s; |
|
|
+ int rc, status = AUTH_SUCCESS; |
|
|
int *pam_status = (int *) auth->data; |
|
|
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) |
|
|
|
|
|
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); |
|
|
- switch (*pam_status) { |
|
|
+ rc = pam_acct_mgmt(pamh, PAM_SILENT); |
|
|
+ switch (rc) { |
|
|
case PAM_SUCCESS: |
|
|
- debug_return_int(AUTH_SUCCESS); |
|
|
+ break; |
|
|
case PAM_AUTH_ERR: |
|
|
log_warningx(0, N_("account validation failure, " |
|
|
"is your account locked?")); |
|
|
- debug_return_int(AUTH_FATAL); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
case PAM_NEW_AUTHTOK_REQD: |
|
|
/* Ignore if user is exempt from password restrictions. */ |
|
|
- if (exempt) |
|
|
- debug_return_int(AUTH_SUCCESS); |
|
|
+ if (exempt) { |
|
|
+ rc = *pam_status; |
|
|
+ break; |
|
|
+ } |
|
|
/* New password required, try to change it. */ |
|
|
log_warningx(0, N_("Account or password is " |
|
|
"expired, reset your password and try again")); |
|
|
- *pam_status = pam_chauthtok(pamh, |
|
|
- PAM_CHANGE_EXPIRED_AUTHTOK); |
|
|
- if (*pam_status == PAM_SUCCESS) |
|
|
- debug_return_int(AUTH_SUCCESS); |
|
|
- if ((s = pam_strerror(pamh, *pam_status)) == NULL) |
|
|
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
|
|
+ if (rc == PAM_SUCCESS) |
|
|
+ break; |
|
|
+ if ((s = pam_strerror(pamh, rc)) == NULL) |
|
|
s = "unknown error"; |
|
|
log_warningx(0, |
|
|
N_("unable to change expired password: %s"), s); |
|
|
- debug_return_int(AUTH_FAILURE); |
|
|
+ status = AUTH_FAILURE; |
|
|
+ break; |
|
|
case PAM_AUTHTOK_EXPIRED: |
|
|
/* Ignore if user is exempt from password restrictions. */ |
|
|
- if (exempt) |
|
|
- debug_return_int(AUTH_SUCCESS); |
|
|
+ if (exempt) { |
|
|
+ rc = *pam_status; |
|
|
+ break; |
|
|
+ } |
|
|
/* Password expired, cannot be updated by user. */ |
|
|
log_warningx(0, |
|
|
N_("Password expired, contact your system administrator")); |
|
|
- debug_return_int(AUTH_FATAL); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
case PAM_ACCT_EXPIRED: |
|
|
log_warningx(0, |
|
|
N_("Account expired or PAM config lacks an \"account\" " |
|
|
"section for sudo, contact your system administrator")); |
|
|
- debug_return_int(AUTH_FATAL); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
case PAM_AUTHINFO_UNAVAIL: |
|
|
case PAM_MAXTRIES: |
|
|
case PAM_PERM_DENIED: |
|
|
- s = pam_strerror(pamh, *pam_status); |
|
|
+ s = pam_strerror(pamh, rc); |
|
|
log_warningx(0, N_("PAM account management error: %s"), |
|
|
s ? s : "unknown error"); |
|
|
- debug_return_int(AUTH_FAILURE); |
|
|
+ status = AUTH_FAILURE; |
|
|
+ break; |
|
|
default: |
|
|
- s = pam_strerror(pamh, *pam_status); |
|
|
+ s = pam_strerror(pamh, rc); |
|
|
log_warningx(0, N_("PAM account management error: %s"), |
|
|
s ? s : "unknown error"); |
|
|
- debug_return_int(AUTH_FATAL); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
} |
|
|
+ *pam_status = rc; |
|
|
+ debug_return_int(status); |
|
|
} |
|
|
|
|
|
int |
|
|
unchanged: |
|
|
--- a/doc/sudoers.cat |
|
|
+++ b/doc/sudoers.cat |
|
|
@@ -1286,6 +1286,17 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S |
|
|
well as the _�P_�r_�e_�v_�e_�n_�t_�i_�n_�g _�s_�h_�e_�l_�l _�e_�s_�c_�a_�p_�e_�s section at the end |
|
|
of this manual. This flag is _�o_�f_�f by default. |
|
|
|
|
|
+ pam_acct_mgmt On systems that use PAM for authentication, s�su�ud�do�o will |
|
|
+ perform PAM account validation for the invoking user by |
|
|
+ default. The actual checks performed depend on which |
|
|
+ PAM modules are configured. If enabled, account |
|
|
+ validation will be performed regardless of whether or |
|
|
+ not a password is required. This flag is _�o_�n by |
|
|
+ default. |
|
|
+ |
|
|
+ This setting is only supported by version 1.8.28 or |
|
|
+ higher. |
|
|
+ |
|
|
pam_session On systems that use PAM for authentication, s�su�ud�do�o will |
|
|
create a new PAM session for the command to be run in. |
|
|
Disabling _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n may be needed on older PAM |
|
|
unchanged: |
|
|
--- a/doc/sudoers.man.in |
|
|
+++ b/doc/sudoers.man.in |
|
|
@@ -2722,6 +2722,19 @@ This flag is |
|
|
\fIoff\fR |
|
|
by default. |
|
|
.TP 18n |
|
|
+pam_acct_mgmt |
|
|
+On systems that use PAM for authentication, |
|
|
+\fBsudo\fR |
|
|
+will perform PAM account validation for the invoking user by default. |
|
|
+The actual checks performed depend on which PAM modules are configured. |
|
|
+If enabled, account validation will be performed regardless of whether |
|
|
+or not a password is required. |
|
|
+This flag is |
|
|
+\fIon\fR |
|
|
+by default. |
|
|
+.sp |
|
|
+This setting is only supported by version 1.8.28 or higher. |
|
|
+.TP 18n |
|
|
pam_session |
|
|
On systems that use PAM for authentication, |
|
|
\fBsudo\fR |
|
|
unchanged: |
|
|
--- a/doc/sudoers.mdoc.in |
|
|
+++ b/doc/sudoers.mdoc.in |
|
|
@@ -2560,6 +2560,18 @@ section at the end of this manual. |
|
|
This flag is |
|
|
.Em off |
|
|
by default. |
|
|
+.It pam_acct_mgmt |
|
|
+On systems that use PAM for authentication, |
|
|
+.Nm sudo |
|
|
+will perform PAM account validation for the invoking user by default. |
|
|
+The actual checks performed depend on which PAM modules are configured. |
|
|
+If enabled, account validation will be performed regardless of whether |
|
|
+or not a password is required. |
|
|
+This flag is |
|
|
+.Em on |
|
|
+by default. |
|
|
+.Pp |
|
|
+This setting is only supported by version 1.8.28 or higher. |
|
|
.It pam_session |
|
|
On systems that use PAM for authentication, |
|
|
.Nm sudo |
|
|
only in patch2: |
|
|
unchanged: |
|
|
--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100 |
|
|
+++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200 |
|
|
@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud |
|
|
int *pam_status = (int *) auth->data; |
|
|
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) |
|
|
|
|
|
- rc = pam_acct_mgmt(pamh, PAM_SILENT); |
|
|
- switch (rc) { |
|
|
- case PAM_SUCCESS: |
|
|
- break; |
|
|
- case PAM_AUTH_ERR: |
|
|
- log_warningx(0, N_("account validation failure, " |
|
|
- "is your account locked?")); |
|
|
- status = AUTH_FATAL; |
|
|
- break; |
|
|
- case PAM_NEW_AUTHTOK_REQD: |
|
|
- /* Ignore if user is exempt from password restrictions. */ |
|
|
- if (exempt) { |
|
|
- rc = *pam_status; |
|
|
- break; |
|
|
- } |
|
|
- /* New password required, try to change it. */ |
|
|
- log_warningx(0, N_("Account or password is " |
|
|
- "expired, reset your password and try again")); |
|
|
- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
|
|
- if (rc == PAM_SUCCESS) |
|
|
- break; |
|
|
- if ((s = pam_strerror(pamh, rc)) == NULL) |
|
|
- s = "unknown error"; |
|
|
- log_warningx(0, |
|
|
- N_("unable to change expired password: %s"), s); |
|
|
- status = AUTH_FAILURE; |
|
|
- break; |
|
|
- case PAM_AUTHTOK_EXPIRED: |
|
|
- /* Ignore if user is exempt from password restrictions. */ |
|
|
- if (exempt) { |
|
|
- rc = *pam_status; |
|
|
- break; |
|
|
- } |
|
|
- /* Password expired, cannot be updated by user. */ |
|
|
- log_warningx(0, |
|
|
- N_("Password expired, contact your system administrator")); |
|
|
- status = AUTH_FATAL; |
|
|
- break; |
|
|
- case PAM_ACCT_EXPIRED: |
|
|
- log_warningx(0, |
|
|
- N_("Account expired or PAM config lacks an \"account\" " |
|
|
- "section for sudo, contact your system administrator")); |
|
|
- status = AUTH_FATAL; |
|
|
- break; |
|
|
- case PAM_AUTHINFO_UNAVAIL: |
|
|
- case PAM_MAXTRIES: |
|
|
- case PAM_PERM_DENIED: |
|
|
- s = pam_strerror(pamh, rc); |
|
|
- log_warningx(0, N_("PAM account management error: %s"), |
|
|
- s ? s : "unknown error"); |
|
|
- status = AUTH_FAILURE; |
|
|
- break; |
|
|
- default: |
|
|
- s = pam_strerror(pamh, rc); |
|
|
- log_warningx(0, N_("PAM account management error: %s"), |
|
|
- s ? s : "unknown error"); |
|
|
- status = AUTH_FATAL; |
|
|
- break; |
|
|
+ if (def_pam_acct_mgmt) { |
|
|
+ rc = pam_acct_mgmt(pamh, PAM_SILENT); |
|
|
+ switch (rc) { |
|
|
+ case PAM_SUCCESS: |
|
|
+ break; |
|
|
+ case PAM_AUTH_ERR: |
|
|
+ log_warningx(0, N_("account validation failure, " |
|
|
+ "is your account locked?")); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
+ case PAM_NEW_AUTHTOK_REQD: |
|
|
+ /* Ignore if user is exempt from password restrictions. */ |
|
|
+ if (exempt) { |
|
|
+ rc = *pam_status; |
|
|
+ break; |
|
|
+ } |
|
|
+ /* New password required, try to change it. */ |
|
|
+ log_warningx(0, N_("Account or password is " |
|
|
+ "expired, reset your password and try again")); |
|
|
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
|
|
+ if (rc == PAM_SUCCESS) |
|
|
+ break; |
|
|
+ if ((s = pam_strerror(pamh, rc)) == NULL) |
|
|
+ s = "unknown error"; |
|
|
+ log_warningx(0, |
|
|
+ N_("unable to change expired password: %s"), s); |
|
|
+ status = AUTH_FAILURE; |
|
|
+ break; |
|
|
+ case PAM_AUTHTOK_EXPIRED: |
|
|
+ /* Ignore if user is exempt from password restrictions. */ |
|
|
+ if (exempt) { |
|
|
+ rc = *pam_status; |
|
|
+ break; |
|
|
+ } |
|
|
+ /* Password expired, cannot be updated by user. */ |
|
|
+ log_warningx(0, |
|
|
+ N_("Password expired, contact your system administrator")); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
+ case PAM_ACCT_EXPIRED: |
|
|
+ log_warningx(0, |
|
|
+ N_("Account expired or PAM config lacks an \"account\" " |
|
|
+ "section for sudo, contact your system administrator")); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
+ case PAM_AUTHINFO_UNAVAIL: |
|
|
+ case PAM_MAXTRIES: |
|
|
+ case PAM_PERM_DENIED: |
|
|
+ s = pam_strerror(pamh, rc); |
|
|
+ log_warningx(0, N_("PAM account management error: %s"), |
|
|
+ s ? s : "unknown error"); |
|
|
+ status = AUTH_FAILURE; |
|
|
+ break; |
|
|
+ default: |
|
|
+ s = pam_strerror(pamh, rc); |
|
|
+ log_warningx(0, N_("PAM account management error: %s"), |
|
|
+ s ? s : "unknown error"); |
|
|
+ status = AUTH_FATAL; |
|
|
+ break; |
|
|
+ } |
|
|
+ *pam_status = rc; |
|
|
} |
|
|
- *pam_status = rc; |
|
|
debug_return_int(status); |
|
|
} |
|
|
|
|
|
only in patch2: |
|
|
unchanged: |
|
|
--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200 |
|
|
+++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200 |
|
|
@@ -642,6 +642,7 @@ init_defaults(void) |
|
|
if ((def_editor = strdup(EDITOR)) == NULL) |
|
|
goto oom; |
|
|
def_set_utmp = true; |
|
|
+ def_pam_acct_mgmt = true; |
|
|
def_pam_setcred = true; |
|
|
def_syslog_maxlen = MAXSYSLOGLEN; |
|
|
def_case_insensitive_user = true; |
|
|
only in patch2: |
|
|
unchanged: |
|
|
--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200 |
|
|
+++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200 |
|
|
@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[] |
|
|
N_("Don't fork and wait for the command to finish, just exec it"), |
|
|
NULL, |
|
|
}, { |
|
|
+ "pam_acct_mgmt", T_FLAG, |
|
|
+ N_("Perform PAM account validation management"), |
|
|
+ NULL, |
|
|
+ }, { |
|
|
NULL, 0, NULL |
|
|
} |
|
|
}; |
|
|
only in patch2: |
|
|
unchanged: |
|
|
--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200 |
|
|
+++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200 |
|
|
@@ -230,6 +230,8 @@ |
|
|
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) |
|
|
#define I_CMND_NO_WAIT 115 |
|
|
#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) |
|
|
+#define I_PAM_ACCT_MGMT 116 |
|
|
+#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag) |
|
|
|
|
|
enum def_tuple { |
|
|
never, |
|
|
only in patch2: |
|
|
unchanged: |
|
|
--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200 |
|
|
+++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200 |
|
|
@@ -363,3 +363,6 @@ legacy_group_processing |
|
|
cmnd_no_wait |
|
|
T_FLAG |
|
|
"Don't fork and wait for the command to finish, just exec it" |
|
|
+pam_acct_mgmt |
|
|
+ T_FLAG |
|
|
+ "Perform PAM account validation management"
|
|
|
|
