Overview

File sudo-1.8.2-pam_session.patch of Package sudo.openSUSE_12.1_Update

Index: sudo-1.8.2/doc/sudo_plugin.cat
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.cat	2011-08-17 15:54:18.000000000 +0200
+++ sudo-1.8.2/doc/sudo_plugin.cat	2012-06-01 16:01:07.704685471 +0200
@@ -585,11 +585,12 @@ DDEESSCCRRIIPPTTIIOONN
        init_session
             int (*init_session)(struct passwd *pwd);
 
-           The init_session function is called when ssuuddoo sets up the execution
-           environment for the command, immediately before the contents of the
-           _c_o_m_m_a_n_d___i_n_f_o list are applied (before the uid changes).  This can
-           be used to do session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o,
-           such as opening the PAM session.
+           The init_session function is called before ssuuddoo sets up the
+           execution environment for the command.  It is run in the parent
+           ssuuddoo process and before any uid or gid changes.  This can be used
+           to perform session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o,
+           such as opening the PAM session.  The close function can be used to
+           tear down the session that was opened by init_session.
 
            The _p_w_d argument points to a passwd struct for the user the command
            will be run as if the uid the command will run as was found in the
Index: sudo-1.8.2/doc/sudo_plugin.man.in
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.man.in	2011-08-17 15:54:18.000000000 +0200
+++ sudo-1.8.2/doc/sudo_plugin.man.in	2012-06-01 16:01:07.705685470 +0200
@@ -756,11 +756,12 @@ support credential caching.
 \& int (*init_session)(struct passwd *pwd);
 .Ve
 .Sp
-The \f(CW\*(C`init_session\*(C'\fR function is called when \fBsudo\fR sets up the
-execution environment for the command, immediately before the
-contents of the \fIcommand_info\fR list are applied (before the uid
-changes).  This can be used to do session setup that is not supported
-by \fIcommand_info\fR, such as opening the \s-1PAM\s0 session.
+The \f(CW\*(C`init_session\*(C'\fR function is called before \fBsudo\fR sets up the
+execution environment for the command.  It is run in the parent
+\&\fBsudo\fR process and before any uid or gid changes.  This can be used
+to perform session setup that is not supported by \fIcommand_info\fR,
+such as opening the \s-1PAM\s0 session.  The \f(CW\*(C`close\*(C'\fR function can be
+used to tear down the session that was opened by \f(CW\*(C`init_session\*(C'\fR.
 .Sp
 The \fIpwd\fR argument points to a passwd struct for the user the
 command will be run as if the uid the command will run as was found
Index: sudo-1.8.2/doc/sudo_plugin.pod
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.pod	2011-03-18 15:25:11.000000000 +0100
+++ sudo-1.8.2/doc/sudo_plugin.pod	2012-06-01 16:01:07.705685470 +0200
@@ -698,11 +698,12 @@ support credential caching.
 
  int (*init_session)(struct passwd *pwd);
 
-The C<init_session> function is called when B<sudo> sets up the
-execution environment for the command, immediately before the
-contents of the I<command_info> list are applied (before the uid
-changes).  This can be used to do session setup that is not supported
-by I<command_info>, such as opening the PAM session.
+The C<init_session> function is called before B<sudo> sets up the
+execution environment for the command.  It is run in the parent
+B<sudo> process and before any uid or gid changes.  This can be used
+to perform session setup that is not supported by I<command_info>,
+such as opening the PAM session.  The C<close> function can be
+used to tear down the session that was opened by C<init_session>.
 
 The I<pwd> argument points to a passwd struct for the user the
 command will be run as if the uid the command will run as was found
Index: sudo-1.8.2/src/exec.c
===================================================================
--- sudo-1.8.2.orig/src/exec.c	2011-06-04 16:01:30.000000000 +0200
+++ sudo-1.8.2/src/exec.c	2012-06-01 16:01:07.706685469 +0200
@@ -57,6 +57,7 @@
 #include <fcntl.h>
 #include <signal.h>
 #include <termios.h>
+#include <pwd.h>
 
 #include "sudo.h"
 #include "sudo_exec.h"
@@ -119,6 +120,15 @@ static int fork_cmnd(struct command_deta
     sa.sa_handler = handler;
     sigaction(SIGCONT, &sa, NULL);
 
+    /*
+     * The policy plugin's session init must be run before we fork
+     * or certain pam modules won't be able to track their state.
+     */
+    struct passwd *pw;
+    pw = getpwuid(details->euid);
+    if (policy_init_session(details, pw) != TRUE)
+	errorx(1, _("policy plugin failed session initialization"));
+
     child = fork();
     switch (child) {
     case -1:
Index: sudo-1.8.2/src/exec_pty.c
===================================================================
--- sudo-1.8.2.orig/src/exec_pty.c	2011-06-04 16:01:30.000000000 +0200
+++ sudo-1.8.2/src/exec_pty.c	2012-06-01 16:01:07.706685469 +0200
@@ -56,6 +56,7 @@
 #include <fcntl.h>
 #include <signal.h>
 #include <termios.h>
+#include <pwd.h>
 
 #include "sudo.h"
 #include "sudo_exec.h"
@@ -567,6 +568,15 @@ fork_pty(struct command_details *details
 	}
     }
 
+    /*
+     * The policy plugin's session init must be run before we fork
+     * or certain pam modules won't be able to track their state.
+     */
+    struct passwd *pw;
+    pw = getpwuid(details->euid);
+    if (policy_init_session(details, pw) != TRUE)
+	errorx(1, _("policy plugin failed session initialization"));
+
     child = fork();
     switch (child) {
     case -1:
Index: sudo-1.8.2/src/sudo.c
===================================================================
--- sudo-1.8.2.orig/src/sudo.c	2012-06-01 16:01:07.672685473 +0200
+++ sudo-1.8.2/src/sudo.c	2012-06-01 16:08:41.193655065 +0200
@@ -135,8 +135,6 @@ static int policy_list(struct plugin_con
     char * const argv[], int verbose, const char *list_user);
 static int policy_validate(struct plugin_container *plugin);
 static void policy_invalidate(struct plugin_container *plugin, int remove);
-static int policy_init_session(struct plugin_container *plugin,
-    struct passwd *pwd);
 
 /* I/O log plugin convenience functions. */
 static int iolog_open(struct plugin_container *plugin, char * const settings[],
@@ -903,13 +901,6 @@ exec_setup(struct command_details *detai
     aix_restoreauthdb();
 #endif
 
-    /*
-     * Call policy plugin's session init before other setup occurs.
-     * The session init code is expected to print an error as needed.
-     */
-    if (policy_init_session(&policy_plugin, pw) != TRUE)
-	goto done;
-
 #ifdef HAVE_SELINUX
     if (ISSET(details->flags, CD_RBAC_ENABLED)) {
 	if (selinux_setup(details->selinux_role, details->selinux_type,
@@ -1155,11 +1146,12 @@ policy_invalidate(struct plugin_containe
     plugin->u.policy->invalidate(remove);
 }
 
-static int
-policy_init_session(struct plugin_container *plugin, struct passwd *pwd)
+int
+policy_init_session(struct command_details *details, struct passwd *pwd)
 {
-    if (plugin->u.policy->init_session)
-	return plugin->u.policy->init_session(pwd);
+    if (policy_plugin.u.policy->init_session)
+       return policy_plugin.u.policy->init_session(pwd);
+
     return TRUE;
 }
 
Index: sudo-1.8.2/src/sudo.h
===================================================================
--- sudo-1.8.2.orig/src/sudo.h	2011-07-21 15:55:54.000000000 +0200
+++ sudo-1.8.2/src/sudo.h	2012-06-01 16:07:41.289659082 +0200
@@ -201,6 +201,7 @@ void get_ttysize(int *rowp, int *colp);
 
 /* sudo.c */
 int exec_setup(struct command_details *details, const char *ptyname, int ptyfd);
+int policy_init_session(struct command_details *details, struct passwd *pwd);
 int run_command(struct command_details *details);
 void sudo_debug(int level, const char *format, ...) __printflike(2, 3);
 extern int debug_level;
openSUSE Build Service is sponsored by
Places