Bug 513 – inconsistent PAM_USER value

Bug 513 - inconsistent PAM_USER value


Summary:	inconsistent PAM_USER value

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.2
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-09-27 00:06 MDT by Bdale Garbee
Modified:	2011-10-22 19:39 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bdale Garbee 2011-09-27 00:06:52 MDT

A user of my Debian packages reported a problem with sudo after I updated the pam config to use common-session.  In helping diagnose the problem, Steve Langasek discovered that pam_open_session() and pam_close_session() are being called with different user names, which is clearly wrong.

See http://bugs.debian.org/639391 for the full discussion including more details from Steve about how he was debugging the problem.

Comment 1 Todd C. Miller 2011-09-27 11:13:45 MDT

The problem here is that in the case of a user authenticating, the pam handle is opened before the sudo monitoring process forks.  If no authentication is required, the pam handle is not created until resource limits need to be set, which is after the monitor process has started.  Since the monitor process is the one calling pam_close_session, there is no pam handle if the user didn't authenticate, which explains the missing close session in this case.  Also, since PAM_USER is updated right before resource limits are set this change is not reflected in the monitor, which explains the PAM_USER mismatch.

This will be fixed in sudo 1.8.3.

Comment 2 Todd C. Miller 2011-10-22 19:39:36 MDT

Sudo 1.8.3 is out now which has this fixed.