diff -up sudo-1.8.6p7/configure.in.pam_servicebackport sudo-1.8.6p7/configure.in --- sudo-1.8.6p7/configure.in.pam_servicebackport 2016-05-09 15:36:30.213715598 +0200 +++ sudo-1.8.6p7/configure.in 2016-05-09 15:36:30.237715261 +0200 @@ -121,6 +121,7 @@ AC_SUBST([nsswitch_conf]) AC_SUBST([netsvc_conf]) AC_SUBST([secure_path]) AC_SUBST([editor]) +AC_SUBST([pam_login_service]) # # Begin initial values for man page substitution # @@ -160,6 +161,7 @@ netsvc_conf=/etc/netsvc.conf noexec_file=/usr/local/libexec/sudo_noexec.so nsswitch_conf=/etc/nsswitch.conf secure_path="not set" +pam_login_service=sudo # # End initial values for man page substitution # @@ -2717,6 +2719,7 @@ if test ${with_pam-"no"} != "no"; then yes) AC_DEFINE([HAVE_PAM_LOGIN]) AC_MSG_CHECKING(whether to use PAM login) AC_MSG_RESULT(yes) + pam_login_service="sudo-i" ;; no) ;; *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) diff -up sudo-1.8.6p7/configure.pam_servicebackport sudo-1.8.6p7/configure --- sudo-1.8.6p7/configure.pam_servicebackport 2013-02-25 20:48:02.000000000 +0100 +++ sudo-1.8.6p7/configure 2016-05-09 15:36:30.238715247 +0200 @@ -658,6 +658,7 @@ OBJEXT EXEEXT ac_ct_CC CC +pam_login_service editor secure_path netsvc_conf @@ -2959,6 +2960,7 @@ netsvc_conf=/etc/netsvc.conf noexec_file=/usr/local/libexec/sudo_noexec.so nsswitch_conf=/etc/nsswitch.conf secure_path="not set" +pam_login_service=sudo # # End initial values for man page substitution # @@ -18631,6 +18633,7 @@ if test "${with_pam_login+set}" = set; t $as_echo_n "checking whether to use PAM login... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } + pam_login_service="sudo-i" ;; no) ;; *) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5 diff -up sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport sudo-1.8.6p7/doc/sudoers.cat --- sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport 2016-05-09 15:36:30.222715472 +0200 +++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-09 15:36:30.239715233 +0200 @@ -1245,6 +1245,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + pam_login_service + On systems that use PAM for authentication, this is the + service name used when the -^H-i^Hi option is specified. The + default value is ``sudo''. See the description of + _^Hp_^Ha_^Hm_^H__^Hs_^He_^Hr_^Hv_^Hi_^Hc_^He for more information. + + pam_service On systems that use PAM for authentication, the service + name specifies the PAM policy to apply. This usually + corresponds to an entry in the _^Hp_^Ha_^Hm_^H._^Hc_^Ho_^Hn_^Hf file or a fi + in the _^H/_^He_^Ht_^Hc_^H/_^Hp_^Ha_^Hm_^H._^Hd directory. The default valu + ``sudo''. + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') diff -up sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.man.in --- sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200 +++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-09 15:36:30.239715233 +0200 @@ -2628,6 +2628,29 @@ The path to the noexec file should now b \fI@sysconfdir@/sudo.conf\fR file. .TP 18n +pam_login_service +.br +On systems that use PAM for authentication, this is the service +name used when the +\fB\-i\fR +option is specified. +The default value is +``\fR@pam_login_service@\fR''. +See the description of +\fIpam_service\fR +for more information. +.TP 18n +pam_service +On systems that use PAM for authentication, the service name +specifies the PAM policy to apply. +This usually corresponds to an entry in the +\fIpam.conf\fR +file or a file in the +\fI/etc/pam.d\fR +directory. +The default value is +``\fRsudo\fR''. +.TP 18n passprompt The default prompt to use when asking for a password; can be overridden via the \fB\-p\fR diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.mdoc.in --- sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200 +++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-09 15:36:30.240715219 +0200 @@ -2464,6 +2464,26 @@ This option is no longer supported. The path to the noexec file should now be set in the .Pa @sysconfdir@/sudo.conf file. +.It pam_login_service +On systems that use PAM for authentication, this is the service +name used when the +.Fl i +option is specified. +The default value is +.Dq Li @pam_login_service@ . +See the description of +.Em pam_service +for more information. +.It pam_service +On systems that use PAM for authentication, the service name +specifies the PAM policy to apply. +This usually corresponds to an entry in the +.Pa pam.conf +file or a file in the +.Pa /etc/pam.d +directory. +The default value is +.Dq Li sudo . .It passprompt The default prompt to use when asking for a password; can be overridden via the .Fl p diff -up sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/auth/pam.c --- sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport 2016-05-09 15:36:30.202715752 +0200 +++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c 2016-05-09 15:36:30.240715219 +0200 @@ -90,12 +90,8 @@ sudo_pam_init(struct passwd *pw, sudo_au if (auth != NULL) auth->data = (void *) &pam_status; pam_conv.conv = converse; -#ifdef HAVE_PAM_LOGIN - if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) - pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); - else -#endif - pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); + pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ? + def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { log_error(USE_ERRNO|NO_MAIL, _("unable to initialize PAM")); debug_return_int(AUTH_FATAL); diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/defaults.c --- sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200 +++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:36:30.240715219 +0200 @@ -424,6 +424,13 @@ init_defaults(void) def_env_reset = ENV_RESET; def_set_logname = true; def_closefrom = STDERR_FILENO + 1; + def_pam_service = estrdup("sudo"); +#ifdef HAVE_PAM_LOGIN + def_pam_login_service = estrdup("sudo-i"); +#else + def_pam_login_service = estrdup("sudo"); +#endif + /* Syslog options need special care since they both strings and ints */ #if (LOGGING & SLOG_SYSLOG) diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.c --- sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200 +++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:36:30.240715219 +0200 @@ -363,6 +363,14 @@ struct sudo_defs_types sudo_defs_table[] N_("Use both user and host/domain fields when matching netgroups"), NULL, }, { + "pam_service", T_STR, + N_("PAM service name to use"), + NULL, + }, { + "pam_login_service", T_STR, + N_("PAM service name to use for login shells"), + NULL, + }, { NULL, 0, NULL } }; diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.h --- sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport 2016-05-09 15:36:30.235715289 +0200 +++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:36:30.240715219 +0200 @@ -168,6 +168,11 @@ #define I_LEGACY_GROUP_PROCESSING 83 #define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag) #define I_NETGROUP_TUPLE 84 +#define def_pam_service (sudo_defs_table[85].sd_un.str) +#define I_PAM_SERVICE 85 +#define def_pam_login_service (sudo_defs_table[86].sd_un.str) +#define I_PAM_LOGIN_SERVICE 86 + enum def_tuple { never, diff -up sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.in --- sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport 2013-02-25 20:42:44.000000000 +0100 +++ sudo-1.8.6p7/plugins/sudoers/def_data.in 2016-05-09 15:36:30.240715219 +0200 @@ -259,3 +259,10 @@ privs limitprivs T_STR "Set of limit privileges" +pam_service + T_STR + "PAM service name to use" +pam_login_service + T_STR + "PAM service name to use for login shells" +