|
|
e7179e |
|
|
|
e7179e |
# HG changeset patch
|
|
|
e7179e |
# User Todd C. Miller <Todd.Miller@sudo.ws>
|
|
|
e7179e |
# Date 1544201494 25200
|
|
|
e7179e |
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
|
|
|
e7179e |
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
|
|
|
e7179e |
The fix for bug #843 was incomplete and caused pam_end() to be called early.
|
|
|
e7179e |
sudo_pam_approval() must not set the global pam status to an error
|
|
|
e7179e |
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
|
|
|
e7179e |
will call pam_end() before sudo_pam_begin_session(). This resulted
|
|
|
e7179e |
in a NULL PAM handle being used in sudo_pam_begin_session().
|
|
|
e7179e |
|
|
|
e7179e |
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
|
|
|
e7179e |
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
|
|
|
e7179e |
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
|
|
|
e7179e |
@@ -210,59 +210,68 @@
|
|
|
e7179e |
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
|
|
e7179e |
{
|
|
|
e7179e |
const char *s;
|
|
|
e7179e |
+ int rc, status = AUTH_SUCCESS;
|
|
|
e7179e |
int *pam_status = (int *) auth->data;
|
|
|
e7179e |
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
|
|
|
e7179e |
|
|
|
e7179e |
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
|
e7179e |
- switch (*pam_status) {
|
|
|
e7179e |
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
|
e7179e |
+ switch (rc) {
|
|
|
e7179e |
case PAM_SUCCESS:
|
|
|
e7179e |
- debug_return_int(AUTH_SUCCESS);
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
case PAM_AUTH_ERR:
|
|
|
e7179e |
log_warningx(0, N_("account validation failure, "
|
|
|
e7179e |
"is your account locked?"));
|
|
|
e7179e |
- debug_return_int(AUTH_FATAL);
|
|
|
e7179e |
+ status = AUTH_FATAL;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
case PAM_NEW_AUTHTOK_REQD:
|
|
|
e7179e |
/* Ignore if user is exempt from password restrictions. */
|
|
|
e7179e |
if (exempt)
|
|
|
e7179e |
- debug_return_int(AUTH_SUCCESS);
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
/* New password required, try to change it. */
|
|
|
e7179e |
log_warningx(0, N_("Account or password is "
|
|
|
e7179e |
"expired, reset your password and try again"));
|
|
|
e7179e |
- *pam_status = pam_chauthtok(pamh,
|
|
|
e7179e |
- PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
e7179e |
- if (*pam_status == PAM_SUCCESS)
|
|
|
e7179e |
- debug_return_int(AUTH_SUCCESS);
|
|
|
e7179e |
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
|
|
|
e7179e |
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
e7179e |
+ if (rc == PAM_SUCCESS)
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
+ if ((s = pam_strerror(pamh, rc)) == NULL)
|
|
|
e7179e |
s = "unknown error";
|
|
|
e7179e |
log_warningx(0,
|
|
|
e7179e |
N_("unable to change expired password: %s"), s);
|
|
|
e7179e |
- debug_return_int(AUTH_FAILURE);
|
|
|
e7179e |
+ status = AUTH_FAILURE;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
case PAM_AUTHTOK_EXPIRED:
|
|
|
e7179e |
/* Ignore if user is exempt from password restrictions. */
|
|
|
e7179e |
if (exempt)
|
|
|
e7179e |
- debug_return_int(AUTH_SUCCESS);
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
/* Password expired, cannot be updated by user. */
|
|
|
e7179e |
log_warningx(0,
|
|
|
e7179e |
N_("Password expired, contact your system administrator"));
|
|
|
e7179e |
- debug_return_int(AUTH_FATAL);
|
|
|
e7179e |
+ status = AUTH_FATAL;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
case PAM_ACCT_EXPIRED:
|
|
|
e7179e |
log_warningx(0,
|
|
|
e7179e |
N_("Account expired or PAM config lacks an \"account\" "
|
|
|
e7179e |
"section for sudo, contact your system administrator"));
|
|
|
e7179e |
- debug_return_int(AUTH_FATAL);
|
|
|
e7179e |
+ status = AUTH_FATAL;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
case PAM_AUTHINFO_UNAVAIL:
|
|
|
e7179e |
case PAM_MAXTRIES:
|
|
|
e7179e |
case PAM_PERM_DENIED:
|
|
|
e7179e |
- s = pam_strerror(pamh, *pam_status);
|
|
|
e7179e |
+ s = pam_strerror(pamh, rc);
|
|
|
e7179e |
log_warningx(0, N_("PAM account management error: %s"),
|
|
|
e7179e |
s ? s : "unknown error");
|
|
|
e7179e |
- debug_return_int(AUTH_FAILURE);
|
|
|
e7179e |
+ status = AUTH_FAILURE;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
default:
|
|
|
e7179e |
- s = pam_strerror(pamh, *pam_status);
|
|
|
e7179e |
+ s = pam_strerror(pamh, rc);
|
|
|
e7179e |
log_warningx(0, N_("PAM account management error: %s"),
|
|
|
e7179e |
s ? s : "unknown error");
|
|
|
e7179e |
- debug_return_int(AUTH_FATAL);
|
|
|
e7179e |
+ status = AUTH_FATAL;
|
|
|
e7179e |
+ break;
|
|
|
e7179e |
}
|
|
|
e7179e |
+ /* Ignore errors if user is exempt from password restrictions. */
|
|
|
e7179e |
+ *pam_status = exempt ? PAM_SUCCESS : rc;
|
|
|
e7179e |
+ debug_return_int(status);
|
|
|
e7179e |
}
|
|
|
e7179e |
|
|
|
e7179e |
int
|
|
|
e7179e |
|