Bug 421

Summary: PAM usage is broken
Product: Sudo Reporter: Lennart Poettering <mzcnz>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   

Description Lennart Poettering 2010-07-21 09:40:40 MDT 
sudo uses PAM incorrectly: it calls pam_open_session() immediately followed by pam_close_session() and only then exec()s the actual process. 

pam_close_session() must be closed after the process terminates again, not before. This issue confused a number of PAM modules quite a bit.

login(1) does that correctly. After calling pam_open_session() it forks, and then in the parent process waits for the child to terminate and then calls pam_close_session(). 

http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=blob;f=login-utils/login.c;h=1550388c4574207857ae6843041eeff3cba52d39;hb=HEAD#l1166

sudo must follow the same scheme.
Comment 1 Todd C. Miller 2010-07-21 10:19:14 MDT 
This will be fixed in sudo 1.7.4.
Comment 2 Todd C. Miller 2010-08-02 15:00:30 MDT 
Closing, sudo 1.7.4 is out now.