Bug 513

Summary:	inconsistent PAM_USER value
Product:	Sudo	Reporter:	Bdale Garbee <bdale>
Component:	Sudo	Assignee:	Todd C. Miller <Todd.Miller>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	low
Version:	1.8.2
Hardware:	PC
OS:	Linux

Description Bdale Garbee 2011-09-27 00:06:52 MDT

A user of my Debian packages reported a problem with sudo after I updated the pam config to use common-session.  In helping diagnose the problem, Steve Langasek discovered that pam_open_session() and pam_close_session() are being called with different user names, which is clearly wrong.

See http://bugs.debian.org/639391 for the full discussion including more details from Steve about how he was debugging the problem.

Comment 1 Todd C. Miller 2011-09-27 11:13:45 MDT

The problem here is that in the case of a user authenticating, the pam handle is opened before the sudo monitoring process forks.  If no authentication is required, the pam handle is not created until resource limits need to be set, which is after the monitor process has started.  Since the monitor process is the one calling pam_close_session, there is no pam handle if the user didn't authenticate, which explains the missing close session in this case.  Also, since PAM_USER is updated right before resource limits are set this change is not reflected in the monitor, which explains the PAM_USER mismatch.

This will be fixed in sudo 1.8.3.

Comment 2 Todd C. Miller 2011-10-22 19:39:36 MDT

Sudo 1.8.3 is out now which has this fixed.