Add pam_acct_mgmt setting to enable/disable PAM account validation.

doc/sudoers.cat

@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
                        of this manual.  This flag is _o_f_f by default.
 
+     pam_acct_mgmt     On systems that use PAM for authentication, ssuuddoo will
+                       perform PAM account validation for the invoking user by
+                       default.  The actual checks performed depend on which
+                       PAM modules are configured.  If enabled, account
+                       validation will be performed regardless of whether or
+                       not a password is required.  This flag is _o_n by
+                       default.
+
+                       This setting is only supported by version 1.8.28 or
+                       higher.
+
      pam_session       On systems that use PAM for authentication, ssuuddoo will
                        create a new PAM session for the command to be run in.
                        Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM
@@ -2928,4 +2939,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.28                      March 4, 2019                     Sudo 1.8.28
+Sudo 1.8.28                     April 29, 2019                     Sudo 1.8.28

doc/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "March 4, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "April 29, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2722,6 +2722,19 @@ This flag is
 \fIoff\fR
 by default.
 .TP 18n
+pam_acct_mgmt
+On systems that use PAM for authentication,
+\fBsudo\fR
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.28 or higher.
+.TP 18n
 pam_session
 On systems that use PAM for authentication,
 \fBsudo\fR

doc/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd March 4, 2019
+.Dd April 29, 2019
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2560,6 +2560,18 @@ section at the end of this manual.
 This flag is
 .Em off
 by default.
+.It pam_acct_mgmt
+On systems that use PAM for authentication,
+.Nm sudo
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.28 or higher.
 .It pam_session
 On systems that use PAM for authentication,
 .Nm sudo

plugins/sudoers/auth/pam.c

@@ -313,66 +313,68 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
     int *pam_status = (int *) auth->data;
     debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
 
-    rc = pam_acct_mgmt(pamh, PAM_SILENT);
+    if (def_pam_acct_mgmt) {
-    switch (rc) {
+	rc = pam_acct_mgmt(pamh, PAM_SILENT);
-	case PAM_SUCCESS:
+	switch (rc) {
-	    break;
+	    case PAM_SUCCESS:
-	case PAM_AUTH_ERR:
-	    log_warningx(0, N_("account validation failure, "
-		"is your account locked?"));
-	    status = AUTH_FATAL;
-	    break;
-	case PAM_NEW_AUTHTOK_REQD:
-	    /* Ignore if user is exempt from password restrictions. */
-	    if (exempt) {
-		rc = *pam_status;
 		break;
-	    }
+	    case PAM_AUTH_ERR:
-	    /* New password required, try to change it. */
+		log_warningx(0, N_("account validation failure, "
-	    log_warningx(0, N_("Account or password is "
+		    "is your account locked?"));
-		"expired, reset your password and try again"));
+		status = AUTH_FATAL;
-	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-	    if (rc == PAM_SUCCESS)
 		break;
-	    if ((s = pam_strerror(pamh, rc)) == NULL)
+	    case PAM_NEW_AUTHTOK_REQD:
-		s = "unknown error";
+		/* Ignore if user is exempt from password restrictions. */
-	    log_warningx(0,
+		if (exempt) {
-		N_("unable to change expired password: %s"), s);
+		    rc = *pam_status;
-	    status = AUTH_FAILURE;
+		    break;
-	    break;
+		}
-	case PAM_AUTHTOK_EXPIRED:
+		/* New password required, try to change it. */
-	    /* Ignore if user is exempt from password restrictions. */
+		log_warningx(0, N_("Account or password is "
-	    if (exempt) {
+		    "expired, reset your password and try again"));
-		rc = *pam_status;
+		rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+		if (rc == PAM_SUCCESS)
+		    break;
+		if ((s = pam_strerror(pamh, rc)) == NULL)
+		    s = "unknown error";
+		log_warningx(0,
+		    N_("unable to change expired password: %s"), s);
+		status = AUTH_FAILURE;
 		break;
-	    }
+	    case PAM_AUTHTOK_EXPIRED:
-	    /* Password expired, cannot be updated by user. */
+		/* Ignore if user is exempt from password restrictions. */
-	    log_warningx(0,
+		if (exempt) {
-		N_("Password expired, contact your system administrator"));
+		    rc = *pam_status;
-	    status = AUTH_FATAL;
+		    break;
-	    break;
+		}
-	case PAM_ACCT_EXPIRED:
+		/* Password expired, cannot be updated by user. */
-	    log_warningx(0,
+		log_warningx(0,
-		N_("Account expired or PAM config lacks an \"account\" "
+		    N_("Password expired, contact your system administrator"));
-		"section for sudo, contact your system administrator"));
+		status = AUTH_FATAL;
-	    status = AUTH_FATAL;
+		break;
-	    break;
+	    case PAM_ACCT_EXPIRED:
-	case PAM_AUTHINFO_UNAVAIL:
+		log_warningx(0,
-	case PAM_MAXTRIES:
+		    N_("Account expired or PAM config lacks an \"account\" "
-	case PAM_PERM_DENIED:
+		    "section for sudo, contact your system administrator"));
-	    s = pam_strerror(pamh, rc);
+		status = AUTH_FATAL;
-	    log_warningx(0, N_("PAM account management error: %s"),
+		break;
-		s ? s : "unknown error");
+	    case PAM_AUTHINFO_UNAVAIL:
-	    status = AUTH_FAILURE;
+	    case PAM_MAXTRIES:
-	    break;
+	    case PAM_PERM_DENIED:
-	default:
+		s = pam_strerror(pamh, rc);
-	    s = pam_strerror(pamh, rc);
+		log_warningx(0, N_("PAM account management error: %s"),
-	    log_warningx(0, N_("PAM account management error: %s"),
+		    s ? s : "unknown error");
-		s ? s : "unknown error");
+		status = AUTH_FAILURE;
-	    status = AUTH_FATAL;
+		break;
-	    break;
+	    default:
+		s = pam_strerror(pamh, rc);
+		log_warningx(0, N_("PAM account management error: %s"),
+		    s ? s : "unknown error");
+		status = AUTH_FATAL;
+		break;
+	}
+	*pam_status = rc;
     }
-    *pam_status = rc;
     debug_return_int(status);
 }
 

plugins/sudoers/def_data.c

@@ -397,6 +397,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"pam_session", T_FLAG,
 	N_("Create a new PAM session for the command to run in"),
 	NULL,
+    }, {
+	"pam_acct_mgmt", T_FLAG,
+	N_("Perform PAM account validation management"),
+	NULL,
     }, {
 	"maxseq", T_UINT,
 	N_("Maximum I/O log sequence number: %u"),

plugins/sudoers/def_data.h

@@ -178,53 +178,55 @@
 #define def_pam_setcred         (sudo_defs_table[I_PAM_SETCRED].sd_un.flag)
 #define I_PAM_SESSION           89
 #define def_pam_session         (sudo_defs_table[I_PAM_SESSION].sd_un.flag)
-#define I_MAXSEQ                90
+#define I_PAM_ACCT_MGMT         90
+#define def_pam_acct_mgmt       (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
+#define I_MAXSEQ                91
 #define def_maxseq              (sudo_defs_table[I_MAXSEQ].sd_un.uival)
-#define I_USE_NETGROUPS         91
+#define I_USE_NETGROUPS         92
 #define def_use_netgroups       (sudo_defs_table[I_USE_NETGROUPS].sd_un.flag)
-#define I_SUDOEDIT_CHECKDIR     92
+#define I_SUDOEDIT_CHECKDIR     93
 #define def_sudoedit_checkdir   (sudo_defs_table[I_SUDOEDIT_CHECKDIR].sd_un.flag)
-#define I_SUDOEDIT_FOLLOW       93
+#define I_SUDOEDIT_FOLLOW       94
 #define def_sudoedit_follow     (sudo_defs_table[I_SUDOEDIT_FOLLOW].sd_un.flag)
-#define I_ALWAYS_QUERY_GROUP_PLUGIN 94
+#define I_ALWAYS_QUERY_GROUP_PLUGIN 95
 #define def_always_query_group_plugin (sudo_defs_table[I_ALWAYS_QUERY_GROUP_PLUGIN].sd_un.flag)
-#define I_NETGROUP_TUPLE        95
+#define I_NETGROUP_TUPLE        96
 #define def_netgroup_tuple      (sudo_defs_table[I_NETGROUP_TUPLE].sd_un.flag)
-#define I_IGNORE_AUDIT_ERRORS   96
+#define I_IGNORE_AUDIT_ERRORS   97
 #define def_ignore_audit_errors (sudo_defs_table[I_IGNORE_AUDIT_ERRORS].sd_un.flag)
-#define I_IGNORE_IOLOG_ERRORS   97
+#define I_IGNORE_IOLOG_ERRORS   98
 #define def_ignore_iolog_errors (sudo_defs_table[I_IGNORE_IOLOG_ERRORS].sd_un.flag)
-#define I_IGNORE_LOGFILE_ERRORS 98
+#define I_IGNORE_LOGFILE_ERRORS 99
 #define def_ignore_logfile_errors (sudo_defs_table[I_IGNORE_LOGFILE_ERRORS].sd_un.flag)
-#define I_MATCH_GROUP_BY_GID    99
+#define I_MATCH_GROUP_BY_GID    100
 #define def_match_group_by_gid  (sudo_defs_table[I_MATCH_GROUP_BY_GID].sd_un.flag)
-#define I_SYSLOG_MAXLEN         100
+#define I_SYSLOG_MAXLEN         101
 #define def_syslog_maxlen       (sudo_defs_table[I_SYSLOG_MAXLEN].sd_un.uival)
-#define I_IOLOG_USER            101
+#define I_IOLOG_USER            102
 #define def_iolog_user          (sudo_defs_table[I_IOLOG_USER].sd_un.str)
-#define I_IOLOG_GROUP           102
+#define I_IOLOG_GROUP           103
 #define def_iolog_group         (sudo_defs_table[I_IOLOG_GROUP].sd_un.str)
-#define I_IOLOG_MODE            103
+#define I_IOLOG_MODE            104
 #define def_iolog_mode          (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
-#define I_FDEXEC                104
+#define I_FDEXEC                105
 #define def_fdexec              (sudo_defs_table[I_FDEXEC].sd_un.tuple)
-#define I_IGNORE_UNKNOWN_DEFAULTS 105
+#define I_IGNORE_UNKNOWN_DEFAULTS 106
 #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
-#define I_COMMAND_TIMEOUT       106
+#define I_COMMAND_TIMEOUT       107
 #define def_command_timeout     (sudo_defs_table[I_COMMAND_TIMEOUT].sd_un.ival)
-#define I_USER_COMMAND_TIMEOUTS 107
+#define I_USER_COMMAND_TIMEOUTS 108
 #define def_user_command_timeouts (sudo_defs_table[I_USER_COMMAND_TIMEOUTS].sd_un.flag)
-#define I_IOLOG_FLUSH           108
+#define I_IOLOG_FLUSH           109
 #define def_iolog_flush         (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
-#define I_SYSLOG_PID            109
+#define I_SYSLOG_PID            110
 #define def_syslog_pid          (sudo_defs_table[I_SYSLOG_PID].sd_un.flag)
-#define I_TIMESTAMP_TYPE        110
+#define I_TIMESTAMP_TYPE        111
 #define def_timestamp_type      (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
-#define I_AUTHFAIL_MESSAGE      111
+#define I_AUTHFAIL_MESSAGE      112
 #define def_authfail_message    (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str)
-#define I_CASE_INSENSITIVE_USER 112
+#define I_CASE_INSENSITIVE_USER 113
 #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
-#define I_CASE_INSENSITIVE_GROUP 113
+#define I_CASE_INSENSITIVE_GROUP 114
 #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
 
 enum def_tuple {

plugins/sudoers/def_data.in

@@ -283,6 +283,9 @@ pam_setcred
 pam_session
 	T_FLAG
 	"Create a new PAM session for the command to run in"
+pam_acct_mgmt
+	T_FLAG
+	"Perform PAM account validation management"
 maxseq
 	T_UINT
 	"Maximum I/O log sequence number: %u"

plugins/sudoers/defaults.c

@@ -641,6 +641,7 @@ init_defaults(void)
     if ((def_editor = strdup(EDITOR)) == NULL)
 	goto oom;
     def_set_utmp = true;
+    def_pam_acct_mgmt = true;
     def_pam_setcred = true;
     def_syslog_maxlen = MAXSYSLOGLEN;
     def_case_insensitive_user = true;