104 lines
3.5 KiB
Diff
104 lines
3.5 KiB
Diff
|
|
# HG changeset patch
|
|
# User Todd C. Miller <Todd.Miller@sudo.ws>
|
|
# Date 1544201494 25200
|
|
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
|
|
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
|
|
The fix for bug #843 was incomplete and caused pam_end() to be called early.
|
|
sudo_pam_approval() must not set the global pam status to an error
|
|
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
|
|
will call pam_end() before sudo_pam_begin_session(). This resulted
|
|
in a NULL PAM handle being used in sudo_pam_begin_session().
|
|
|
|
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
|
|
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
|
|
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
|
|
@@ -210,59 +210,68 @@
|
|
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
|
{
|
|
const char *s;
|
|
+ int rc, status = AUTH_SUCCESS;
|
|
int *pam_status = (int *) auth->data;
|
|
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
|
|
|
|
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
- switch (*pam_status) {
|
|
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
+ switch (rc) {
|
|
case PAM_SUCCESS:
|
|
- debug_return_int(AUTH_SUCCESS);
|
|
+ break;
|
|
case PAM_AUTH_ERR:
|
|
log_warningx(0, N_("account validation failure, "
|
|
"is your account locked?"));
|
|
- debug_return_int(AUTH_FATAL);
|
|
+ status = AUTH_FATAL;
|
|
+ break;
|
|
case PAM_NEW_AUTHTOK_REQD:
|
|
/* Ignore if user is exempt from password restrictions. */
|
|
if (exempt)
|
|
- debug_return_int(AUTH_SUCCESS);
|
|
+ break;
|
|
/* New password required, try to change it. */
|
|
log_warningx(0, N_("Account or password is "
|
|
"expired, reset your password and try again"));
|
|
- *pam_status = pam_chauthtok(pamh,
|
|
- PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
- if (*pam_status == PAM_SUCCESS)
|
|
- debug_return_int(AUTH_SUCCESS);
|
|
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
|
|
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
+ if (rc == PAM_SUCCESS)
|
|
+ break;
|
|
+ if ((s = pam_strerror(pamh, rc)) == NULL)
|
|
s = "unknown error";
|
|
log_warningx(0,
|
|
N_("unable to change expired password: %s"), s);
|
|
- debug_return_int(AUTH_FAILURE);
|
|
+ status = AUTH_FAILURE;
|
|
+ break;
|
|
case PAM_AUTHTOK_EXPIRED:
|
|
/* Ignore if user is exempt from password restrictions. */
|
|
if (exempt)
|
|
- debug_return_int(AUTH_SUCCESS);
|
|
+ break;
|
|
/* Password expired, cannot be updated by user. */
|
|
log_warningx(0,
|
|
N_("Password expired, contact your system administrator"));
|
|
- debug_return_int(AUTH_FATAL);
|
|
+ status = AUTH_FATAL;
|
|
+ break;
|
|
case PAM_ACCT_EXPIRED:
|
|
log_warningx(0,
|
|
N_("Account expired or PAM config lacks an \"account\" "
|
|
"section for sudo, contact your system administrator"));
|
|
- debug_return_int(AUTH_FATAL);
|
|
+ status = AUTH_FATAL;
|
|
+ break;
|
|
case PAM_AUTHINFO_UNAVAIL:
|
|
case PAM_MAXTRIES:
|
|
case PAM_PERM_DENIED:
|
|
- s = pam_strerror(pamh, *pam_status);
|
|
+ s = pam_strerror(pamh, rc);
|
|
log_warningx(0, N_("PAM account management error: %s"),
|
|
s ? s : "unknown error");
|
|
- debug_return_int(AUTH_FAILURE);
|
|
+ status = AUTH_FAILURE;
|
|
+ break;
|
|
default:
|
|
- s = pam_strerror(pamh, *pam_status);
|
|
+ s = pam_strerror(pamh, rc);
|
|
log_warningx(0, N_("PAM account management error: %s"),
|
|
s ? s : "unknown error");
|
|
- debug_return_int(AUTH_FATAL);
|
|
+ status = AUTH_FATAL;
|
|
+ break;
|
|
}
|
|
+ /* Ignore errors if user is exempt from password restrictions. */
|
|
+ *pam_status = exempt ? PAM_SUCCESS : rc;
|
|
+ debug_return_int(status);
|
|
}
|
|
|
|
int
|
|
|