Date: Mon, 21 Jan 2002 11:33:57 -0500 (EST) From: "Storms of Perfection" <gary@outloud.org> To: <matusita@jp.FreeBSD.org> Cc: <current@FreeBSD.ORG> Subject: Re: sudo redu Message-ID: <1699.63.68.129.181.1011630837.squirrel@test.outloud.org> In-Reply-To: <20020120041357U.matusita@jp.FreeBSD.org> References: <20020120041357U.matusita@jp.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The problem(s) with sudo have been fixed in the latest sudo CVS release.
This works for me on -CURRENT as of December 16th, 2001 and RELENG_4
--- /tmp/sudo-1.6.5p1/auth/pam.c Mon Dec 31 12:18:12 2001
+++ /home/ancient/test/sudo/auth/pam.c Mon Jan 21 06:54:37 2002
@@ -66,7 +66,7 @@
#include "sudo_auth.h"
#ifndef lint
-static const char rcsid[] = "$Sudo: pam.c,v 1.23 2001/12/31 17:18:12
millert Exp $";
+static const char rcsid[] = "$Sudo: pam.c,v 1.25 2002/01/20 19:21:33
millert Exp $";
#endif /* lint */
static int sudo_conv __P((int, PAM_CONST struct pam_message **,
@@ -163,7 +163,6 @@
struct pam_conv pam_conv;
pam_handle_t *pamh;
const char *s;
- int error;
/* We need to setup a new PAM session for the user we are changing
*to*. */
pam_conv.conv = sudo_conv;
@@ -176,16 +175,19 @@
if (strcmp(user_tty, "unknown"))
(void) pam_set_item(pamh, PAM_TTY, user_tty);
- /* Set credentials (may include resource limits, device ownership,
etc). */
- if ((error = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
- if ((s = pam_strerror(pamh, error)))
- log_error(NO_EXIT|NO_MAIL, "pam_setcred: %s", s);
- }
+ /*
+ * Set credentials (may include resource limits, device ownership,
etc).
+ * We don't check the return value here because in Linux-PAM 0.75
+ * it returns the last saved return code, not the return code
+ * for the setcred module. Because we haven't called pam_authenticate
(),
+ * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
+ */
+ (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
- if (pam_end(pamh, error) != PAM_SUCCESS)
+ if (pam_end(pamh, PAM_SUCCESS) == PAM_SUCCESS)
+ return(PAM_SUCCESS);
+ else
return(AUTH_FAILURE);
-
- return(error == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
}
/*
@@ -219,7 +221,9 @@
/* Read the password. */
pr->resp = estrdup((char *) tgetpass(p,
def_ival(I_PASSWD_TIMEOUT) * 60, tgetpass_flags));
- if (pr->resp == NULL || *pr->resp == '\0')
+ if (pr->resp == NULL)
+ pr->resp = "";
+ if (*pr->resp == '\0')
nil_pw = 1; /* empty password */
break;
case PAM_TEXT_INFO:
>
> FYI: pam_setcred() call seems used in OpenSSH, ftpd, rshd, login, and
> su already included in FreeBSD source code.
>
> <URL:http://snapshots.jp.freebsd.org/tour/current/cgi-bin/global.cgi?
pattern=pam_setcred&id=&type=reference>
>
> imp> OK. This looks like a problem in 1.6.4p1 of sudo. It isn't a
> problem imp> with 1.6.3p7_2. 1.6.4 works on -stable, but not -current.
>
> I've checked about new sudo's behavior on some OSes:
>
> Debian (woody) sudo-1.6.4.1 OK (tested on 1 machine)
> FreeBSD 2.2.8-RELEASE sudo-1.6.5.1 OK (tested on 1 machine)
> FreeBSD 3.4-stable sudo-1.6.5.1 NG (tested on 1 machine)
> FreeBSD 4-stable sudo-1.6.5.1 OK (tested on some machines)
> FreeBSD 5-current sudo-1.6.5.1 OK / NG (tested on some machines)
>
> "OK / NG" means that "some machines work fine, but some machines goes
> wrong".
>
> ***
>
> I don't know what's the real problem, but it seems that sudo doesn't
> have the problem IMHO. Anyone has a solution about this problem?
>
> -- -
> Makoto `MAR' Matsushita
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message
Gary Stanley
Network Security Engineer
PRECISIONet, Inc.
(877) 595-8570
Tickle us, do we not laugh? Prick us, do we not bleed? Wrong us, shall we
not revenge?" (Merchant of Venice II i 56-63, paraphrase)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1699.63.68.129.181.1011630837.squirrel>