|
 |
a67eaf |
diff -up sudo-1.8.6p7/configure.in.pam_servicebackport sudo-1.8.6p7/configure.in
|
|
|
a67eaf |
--- sudo-1.8.6p7/configure.in.pam_servicebackport 2016-05-09 15:36:30.213715598 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/configure.in 2016-05-09 15:36:30.237715261 +0200
|
|
|
a67eaf |
@@ -121,6 +121,7 @@ AC_SUBST([nsswitch_conf])
|
|
|
a67eaf |
AC_SUBST([netsvc_conf])
|
|
|
a67eaf |
AC_SUBST([secure_path])
|
|
|
a67eaf |
AC_SUBST([editor])
|
|
|
a67eaf |
+AC_SUBST([pam_login_service])
|
|
|
a67eaf |
#
|
|
|
a67eaf |
# Begin initial values for man page substitution
|
|
|
a67eaf |
#
|
|
|
a67eaf |
@@ -160,6 +161,7 @@ netsvc_conf=/etc/netsvc.conf
|
|
|
a67eaf |
noexec_file=/usr/local/libexec/sudo_noexec.so
|
|
|
a67eaf |
nsswitch_conf=/etc/nsswitch.conf
|
|
|
a67eaf |
secure_path="not set"
|
|
|
a67eaf |
+pam_login_service=sudo
|
|
|
a67eaf |
#
|
|
|
a67eaf |
# End initial values for man page substitution
|
|
|
a67eaf |
#
|
|
|
a67eaf |
@@ -2717,6 +2719,7 @@ if test ${with_pam-"no"} != "no"; then
|
|
|
a67eaf |
yes) AC_DEFINE([HAVE_PAM_LOGIN])
|
|
|
a67eaf |
AC_MSG_CHECKING(whether to use PAM login)
|
|
|
a67eaf |
AC_MSG_RESULT(yes)
|
|
|
a67eaf |
+ pam_login_service="sudo-i"
|
|
|
a67eaf |
;;
|
|
|
a67eaf |
no) ;;
|
|
|
a67eaf |
*) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/configure.pam_servicebackport sudo-1.8.6p7/configure
|
|
|
a67eaf |
--- sudo-1.8.6p7/configure.pam_servicebackport 2013-02-25 20:48:02.000000000 +0100
|
|
|
a67eaf |
+++ sudo-1.8.6p7/configure 2016-05-09 15:36:30.238715247 +0200
|
|
|
a67eaf |
@@ -658,6 +658,7 @@ OBJEXT
|
|
|
a67eaf |
EXEEXT
|
|
|
a67eaf |
ac_ct_CC
|
|
|
a67eaf |
CC
|
|
|
a67eaf |
+pam_login_service
|
|
|
a67eaf |
editor
|
|
|
a67eaf |
secure_path
|
|
|
a67eaf |
netsvc_conf
|
|
|
a67eaf |
@@ -2959,6 +2960,7 @@ netsvc_conf=/etc/netsvc.conf
|
|
|
a67eaf |
noexec_file=/usr/local/libexec/sudo_noexec.so
|
|
|
a67eaf |
nsswitch_conf=/etc/nsswitch.conf
|
|
|
a67eaf |
secure_path="not set"
|
|
|
a67eaf |
+pam_login_service=sudo
|
|
|
a67eaf |
#
|
|
|
a67eaf |
# End initial values for man page substitution
|
|
|
a67eaf |
#
|
|
|
a67eaf |
@@ -18631,6 +18633,7 @@ if test "${with_pam_login+set}" = set; t
|
|
|
a67eaf |
$as_echo_n "checking whether to use PAM login... " >&6; }
|
|
|
a67eaf |
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
|
|
a67eaf |
$as_echo "yes" >&6; }
|
|
|
a67eaf |
+ pam_login_service="sudo-i"
|
|
|
a67eaf |
;;
|
|
|
a67eaf |
no) ;;
|
|
|
a67eaf |
*) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport sudo-1.8.6p7/doc/sudoers.cat
|
|
|
a67eaf |
--- sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport 2016-05-09 15:36:30.222715472 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-09 15:36:30.239715233 +0200
|
|
|
a67eaf |
@@ -1245,6 +1245,18 @@ S?SU?UD?DO?OE?ER?RS?S O?OP?PT?TI?IO?ON?N
|
|
|
a67eaf |
noexec file should now be set in the _?/_?e_?t_?c_?/_?s_?u_?d_?o_?._?c_?o_?n_?f
|
|
|
a67eaf |
file.
|
|
|
a67eaf |
|
|
|
a67eaf |
+ pam_login_service
|
|
|
a67eaf |
+ On systems that use PAM for authentication, this is the
|
|
|
a67eaf |
+ service name used when the -^H-i^Hi option is specified. The
|
|
|
a67eaf |
+ default value is ``sudo''. See the description of
|
|
|
a67eaf |
+ _^Hp_^Ha_^Hm_^H__^Hs_^He_^Hr_^Hv_^Hi_^Hc_^He for more information.
|
|
|
a67eaf |
+
|
|
|
a67eaf |
+ pam_service On systems that use PAM for authentication, the service
|
|
|
a67eaf |
+ name specifies the PAM policy to apply. This usually
|
|
|
a67eaf |
+ corresponds to an entry in the _^Hp_^Ha_^Hm_^H._^Hc_^Ho_^Hn_^Hf file or a fi
|
|
|
a67eaf |
+ in the _^H/_^He_^Ht_^Hc_^H/_^Hp_^Ha_^Hm_^H._^Hd directory. The default valu
|
|
|
a67eaf |
+ ``sudo''.
|
|
|
a67eaf |
+
|
|
|
a67eaf |
passprompt The default prompt to use when asking for a password;
|
|
|
a67eaf |
can be overridden via the -?-p?p option or the SUDO_PROMPT
|
|
|
a67eaf |
environment variable. The following percent (`%')
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.man.in
|
|
|
a67eaf |
--- sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-09 15:36:30.239715233 +0200
|
|
|
a67eaf |
@@ -2628,6 +2628,29 @@ The path to the noexec file should now b
|
|
|
a67eaf |
\fI@sysconfdir@/sudo.conf\fR
|
|
|
a67eaf |
file.
|
|
|
a67eaf |
.TP 18n
|
|
|
a67eaf |
+pam_login_service
|
|
|
a67eaf |
+.br
|
|
|
a67eaf |
+On systems that use PAM for authentication, this is the service
|
|
|
a67eaf |
+name used when the
|
|
|
a67eaf |
+\fB\-i\fR
|
|
|
a67eaf |
+option is specified.
|
|
|
a67eaf |
+The default value is
|
|
|
a67eaf |
+``\fR@pam_login_service@\fR''.
|
|
|
a67eaf |
+See the description of
|
|
|
a67eaf |
+\fIpam_service\fR
|
|
|
a67eaf |
+for more information.
|
|
|
a67eaf |
+.TP 18n
|
|
|
a67eaf |
+pam_service
|
|
|
a67eaf |
+On systems that use PAM for authentication, the service name
|
|
|
a67eaf |
+specifies the PAM policy to apply.
|
|
|
a67eaf |
+This usually corresponds to an entry in the
|
|
|
a67eaf |
+\fIpam.conf\fR
|
|
|
a67eaf |
+file or a file in the
|
|
|
a67eaf |
+\fI/etc/pam.d\fR
|
|
|
a67eaf |
+directory.
|
|
|
a67eaf |
+The default value is
|
|
|
a67eaf |
+``\fRsudo\fR''.
|
|
|
a67eaf |
+.TP 18n
|
|
|
a67eaf |
passprompt
|
|
|
a67eaf |
The default prompt to use when asking for a password; can be overridden via the
|
|
|
a67eaf |
\fB\-p\fR
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.mdoc.in
|
|
|
a67eaf |
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -2464,6 +2464,26 @@ This option is no longer supported.
|
|
|
a67eaf |
The path to the noexec file should now be set in the
|
|
|
a67eaf |
.Pa @sysconfdir@/sudo.conf
|
|
|
a67eaf |
file.
|
|
|
a67eaf |
+.It pam_login_service
|
|
|
a67eaf |
+On systems that use PAM for authentication, this is the service
|
|
|
a67eaf |
+name used when the
|
|
|
a67eaf |
+.Fl i
|
|
|
a67eaf |
+option is specified.
|
|
|
a67eaf |
+The default value is
|
|
|
a67eaf |
+.Dq Li @pam_login_service@ .
|
|
|
a67eaf |
+See the description of
|
|
|
a67eaf |
+.Em pam_service
|
|
|
a67eaf |
+for more information.
|
|
|
a67eaf |
+.It pam_service
|
|
|
a67eaf |
+On systems that use PAM for authentication, the service name
|
|
|
a67eaf |
+specifies the PAM policy to apply.
|
|
|
a67eaf |
+This usually corresponds to an entry in the
|
|
|
a67eaf |
+.Pa pam.conf
|
|
|
a67eaf |
+file or a file in the
|
|
|
a67eaf |
+.Pa /etc/pam.d
|
|
|
a67eaf |
+directory.
|
|
|
a67eaf |
+The default value is
|
|
|
a67eaf |
+.Dq Li sudo .
|
|
|
a67eaf |
.It passprompt
|
|
|
a67eaf |
The default prompt to use when asking for a password; can be overridden via the
|
|
|
a67eaf |
.Fl p
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/auth/pam.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport 2016-05-09 15:36:30.202715752 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -90,12 +90,8 @@ sudo_pam_init(struct passwd *pw, sudo_au
|
|
|
a67eaf |
if (auth != NULL)
|
|
|
a67eaf |
auth->data = (void *) &pam_status;
|
|
|
a67eaf |
pam_conv.conv = converse;
|
|
|
a67eaf |
-#ifdef HAVE_PAM_LOGIN
|
|
|
a67eaf |
- if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
|
|
|
a67eaf |
- pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
|
|
|
a67eaf |
- else
|
|
|
a67eaf |
-#endif
|
|
|
a67eaf |
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
|
|
|
a67eaf |
+ pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
|
|
|
a67eaf |
+ def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
|
|
|
a67eaf |
if (pam_status != PAM_SUCCESS) {
|
|
|
a67eaf |
log_error(USE_ERRNO|NO_MAIL, _("unable to initialize PAM"));
|
|
|
a67eaf |
debug_return_int(AUTH_FATAL);
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/defaults.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -424,6 +424,13 @@ init_defaults(void)
|
|
|
a67eaf |
def_env_reset = ENV_RESET;
|
|
|
a67eaf |
def_set_logname = true;
|
|
|
a67eaf |
def_closefrom = STDERR_FILENO + 1;
|
|
|
a67eaf |
+ def_pam_service = estrdup("sudo");
|
|
|
a67eaf |
+#ifdef HAVE_PAM_LOGIN
|
|
|
a67eaf |
+ def_pam_login_service = estrdup("sudo-i");
|
|
|
a67eaf |
+#else
|
|
|
a67eaf |
+ def_pam_login_service = estrdup("sudo");
|
|
|
a67eaf |
+#endif
|
|
|
a67eaf |
+
|
|
|
a67eaf |
|
|
|
a67eaf |
/* Syslog options need special care since they both strings and ints */
|
|
|
a67eaf |
#if (LOGGING & SLOG_SYSLOG)
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -363,6 +363,14 @@ struct sudo_defs_types sudo_defs_table[]
|
|
|
a67eaf |
N_("Use both user and host/domain fields when matching netgroups"),
|
|
|
a67eaf |
NULL,
|
|
|
a67eaf |
}, {
|
|
|
a67eaf |
+ "pam_service", T_STR,
|
|
|
a67eaf |
+ N_("PAM service name to use"),
|
|
|
a67eaf |
+ NULL,
|
|
|
a67eaf |
+ }, {
|
|
|
a67eaf |
+ "pam_login_service", T_STR,
|
|
|
a67eaf |
+ N_("PAM service name to use for login shells"),
|
|
|
a67eaf |
+ NULL,
|
|
|
a67eaf |
+ }, {
|
|
|
a67eaf |
NULL, 0, NULL
|
|
|
a67eaf |
}
|
|
|
a67eaf |
};
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.h
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport 2016-05-09 15:36:30.235715289 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -168,6 +168,11 @@
|
|
|
a67eaf |
#define I_LEGACY_GROUP_PROCESSING 83
|
|
|
a67eaf |
#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
|
|
|
a67eaf |
#define I_NETGROUP_TUPLE 84
|
|
|
a67eaf |
+#define def_pam_service (sudo_defs_table[85].sd_un.str)
|
|
|
a67eaf |
+#define I_PAM_SERVICE 85
|
|
|
a67eaf |
+#define def_pam_login_service (sudo_defs_table[86].sd_un.str)
|
|
|
a67eaf |
+#define I_PAM_LOGIN_SERVICE 86
|
|
|
a67eaf |
+
|
|
|
a67eaf |
|
|
|
a67eaf |
enum def_tuple {
|
|
|
a67eaf |
never,
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.in
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport 2013-02-25 20:42:44.000000000 +0100
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.in 2016-05-09 15:36:30.240715219 +0200
|
|
|
a67eaf |
@@ -259,3 +259,10 @@ privs
|
|
|
a67eaf |
limitprivs
|
|
|
a67eaf |
T_STR
|
|
|
a67eaf |
"Set of limit privileges"
|
|
|
a67eaf |
+pam_service
|
|
|
a67eaf |
+ T_STR
|
|
|
a67eaf |
+ "PAM service name to use"
|
|
|
a67eaf |
+pam_login_service
|
|
|
a67eaf |
+ T_STR
|
|
|
a67eaf |
+ "PAM service name to use for login shells"
|
|
|
a67eaf |
+
|