Bugzilla – Bug 642
pam_setcred should use PAM_REINITIALIZE_CRED instead of PAM_ESTABLISH_CRED
Last modified: 2014-05-07 13:29:44 MDT
Created attachment 403 [details] Fix both issues noted in the bug As documented here: http://docs.oracle.com/cd/E23824_01/html/819-2145/pam-1.html snip: Call pam_setcred(3PAM). The pam_setcred(3PAM) function is used to establish, modify, or delete user credentials. pam_setcred() is typically called when a user has been authenticated. The call is made after the account has been validated, but before a session has been opened. The pam_setcred() function is used with the PAM_ESTABLISH_CRED flag to establish a new user session. If the session is the renewal of an existing session, such as for lockscreen, pam_setcred() with the PAM_REFRESH_CRED flag should be called. If the session is changing the credentials, such as using su or assuming a role, then pam_setcred() with the PAM_REINITIALIZE_CRED flag should be called. The outcome of this issue is that the preselection mask is wrong on Solaris: $ sudo bash -c 'auditconfig -getpinfo $$' ... process preselection mask = lo(0x1000,0x1000) ... $ sudo rolemod -K audit_flags=lo,ex:no root $ sudo bash -c 'auditconfig -getpinfo $$' ... process preselection mask = lo(0x1000,0x1000) ... The preselection mask does not respect new flags. If I however do $ sudo su - $ auditconfig -getpinfo $$ ... process preselection mask = ex,lo(0x80001000,0x80001000) ... With the proposed patch attached sudo respects the new flag. There's second issue with pam_setcred. It is documented that the flag is turned on by default, but it is not the case. So the patch improves plugins/sudoers/defaults.c to make sudo behave as documented. Author of the patch is gary.winiger@oracle.com Thank you -- Vlad
Thanks, I've committed the fix.
Fixed in sudo 1.8.10p3
(In reply to Todd C Miller from comment #2) > Fixed in sudo 1.8.10p3 Thank you! -- Vlad