Blame SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch

02d491
From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001
02d491
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
02d491
Date: Thu, 26 Jul 2018 12:31:29 -0600
02d491
Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors
02d491
 from pam_acct_mgmt() if authentication is disabled for the user. Bug #843
02d491
02d491
---
02d491
 plugins/sudoers/auth/bsdauth.c   |  2 +-
02d491
 plugins/sudoers/auth/pam.c       | 10 +++++++++-
02d491
 plugins/sudoers/auth/sudo_auth.c |  4 ++--
02d491
 plugins/sudoers/auth/sudo_auth.h |  6 +++---
02d491
 plugins/sudoers/check.c          |  4 +++-
02d491
 plugins/sudoers/sudoers.h        |  2 +-
02d491
 6 files changed, 19 insertions(+), 9 deletions(-)
02d491
02d491
diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c
02d491
index 444cd337..390263d3 100644
02d491
--- a/plugins/sudoers/auth/bsdauth.c
02d491
+++ b/plugins/sudoers/auth/bsdauth.c
02d491
@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
02d491
 }
02d491
 
02d491
 int
02d491
-bsdauth_approval(struct passwd *pw, sudo_auth *auth)
02d491
+bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
02d491
 {
02d491
     struct bsdauth_state *state = auth->data;
02d491
     debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH)
02d491
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
02d491
index 347289da..a4749448 100644
02d491
--- a/plugins/sudoers/auth/pam.c
02d491
+++ b/plugins/sudoers/auth/pam.c
02d491
@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
02d491
 }
02d491
 
02d491
 int
02d491
-sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
02d491
+sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
02d491
 {
02d491
     const char *s;
02d491
     int *pam_status = (int *) auth->data;
02d491
@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
02d491
 		"is your account locked?"));
02d491
 	    debug_return_int(AUTH_FATAL);
02d491
 	case PAM_NEW_AUTHTOK_REQD:
02d491
+	    /* Ignore if user is exempt from password restrictions. */
02d491
+	    if (exempt)
02d491
+		debug_return_int(AUTH_SUCCESS);
02d491
+	    /* New password required, try to change it. */
02d491
 	    log_warningx(0, N_("Account or password is "
02d491
 		"expired, reset your password and try again"));
02d491
 	    *pam_status = pam_chauthtok(pamh,
02d491
@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
02d491
 		N_("unable to change expired password: %s"), s);
02d491
 	    debug_return_int(AUTH_FAILURE);
02d491
 	case PAM_AUTHTOK_EXPIRED:
02d491
+	    /* Ignore if user is exempt from password restrictions. */
02d491
+	    if (exempt)
02d491
+		debug_return_int(AUTH_SUCCESS);
02d491
+	    /* Password expired, cannot be updated by user. */
02d491
 	    log_warningx(0,
02d491
 		N_("Password expired, contact your system administrator"));
02d491
 	    debug_return_int(AUTH_FATAL);
02d491
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
02d491
index 6ef9bd72..5d9382dc 100644
02d491
--- a/plugins/sudoers/auth/sudo_auth.c
02d491
+++ b/plugins/sudoers/auth/sudo_auth.c
02d491
@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw)
02d491
  * Returns true on success, false on failure and -1 on error.
02d491
  */
02d491
 int
02d491
-sudo_auth_approval(struct passwd *pw, int validated)
02d491
+sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
02d491
 {
02d491
     sudo_auth *auth;
02d491
     debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH)
02d491
@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated)
02d491
     /* Call approval routines. */
02d491
     for (auth = auth_switch; auth->name; auth++) {
02d491
 	if (auth->approval && !IS_DISABLED(auth)) {
02d491
-	    int status = (auth->approval)(pw, auth);
02d491
+	    int status = (auth->approval)(pw, auth, exempt);
02d491
 	    if (status != AUTH_SUCCESS) {
02d491
 		/* Assume error msg already printed. */
02d491
 		log_auth_failure(validated, 0);
02d491
diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h
02d491
index ea5ed9cd..9ae69cd5 100644
02d491
--- a/plugins/sudoers/auth/sudo_auth.h
02d491
+++ b/plugins/sudoers/auth/sudo_auth.h
02d491
@@ -31,7 +31,7 @@ typedef struct sudo_auth {
02d491
     int (*init)(struct passwd *pw, struct sudo_auth *auth);
02d491
     int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth);
02d491
     int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);
02d491
-    int (*approval)(struct passwd *pw, struct sudo_auth *auth);
02d491
+    int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt);
02d491
     int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
02d491
     int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);
02d491
     int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
02d491
@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv;
02d491
 /* Prototypes for standalone methods */
02d491
 int bsdauth_init(struct passwd *pw, sudo_auth *auth);
02d491
 int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
02d491
-int bsdauth_approval(struct passwd *pw, sudo_auth *auth);
02d491
+int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
02d491
 int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);
02d491
@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
02d491
-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth);
02d491
+int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
02d491
 int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
02d491
 int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
02d491
 int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth);
02d491
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
02d491
index ed49d63a..486a80d8 100644
02d491
--- a/plugins/sudoers/check.c
02d491
+++ b/plugins/sudoers/check.c
02d491
@@ -175,6 +175,7 @@ check_user(int validated, int mode)
02d491
 {
02d491
     struct passwd *auth_pw;
02d491
     int ret = -1;
02d491
+    bool exempt = false;
02d491
     debug_decl(check_user, SUDOERS_DEBUG_AUTH)
02d491
 
02d491
     /*
02d491
@@ -194,6 +195,7 @@ check_user(int validated, int mode)
02d491
 	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
02d491
 	    !def_authenticate ? "authentication disabled" :
02d491
 	    "user exempt from authentication");
02d491
+	exempt = true;
02d491
 	ret = true;
02d491
 	goto done;
02d491
     }
02d491
@@ -218,7 +220,7 @@ check_user(int validated, int mode)
02d491
 done:
02d491
     if (ret == true) {
02d491
 	/* The approval function may disallow a user post-authentication. */
02d491
-	ret = sudo_auth_approval(auth_pw, validated);
02d491
+	ret = sudo_auth_approval(auth_pw, validated, exempt);
02d491
     }
02d491
     sudo_auth_cleanup(auth_pw);
02d491
     sudo_pw_delref(auth_pw);
02d491
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
02d491
index 57db74c1..956cb084 100644
02d491
--- a/plugins/sudoers/sudoers.h
02d491
+++ b/plugins/sudoers/sudoers.h
02d491
@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv
02d491
 int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
02d491
 int sudo_auth_end_session(struct passwd *pw);
02d491
 int sudo_auth_init(struct passwd *pw);
02d491
-int sudo_auth_approval(struct passwd *pw, int validated);
02d491
+int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
02d491
 int sudo_auth_cleanup(struct passwd *pw);
02d491
 
02d491
 /* set_perms.c */
02d491
-- 
02d491
2.13.6
02d491