We need to init the auth system regardless of whether we need a

password since we will be closing the PAM session in the monitor process. Fixes a crash in the monitor on Solaris; bugzilla #518
2025-08-31 14:25:15 +00:00 · 2011-10-25 10:08:26 -04:00
parent ab75dd2e30
commit 9b2c889812
2 changed files with 32 additions and 28 deletions
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -104,25 +104,21 @@ check_user(int validated, int mode)
    char *prompt;
    struct stat sb;
    int status, rval = TRUE;
+    int need_pass = def_authenticate;
    debug_decl(check_user, SUDO_DEBUG_AUTH)

-    /* Stash the tty's ctime for tty ticket comparison. */
-    if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
-	tty_info.dev = sb.st_dev;
-	tty_info.ino = sb.st_ino;
-	tty_info.rdev = sb.st_rdev;
-	if (tty_is_devpts(user_ttypath))
-	    ctim_get(&sb, &tty_info.ctime);
-    }
-
-    /* Init authentication system regardless of whether we need a password. */
+    /*
+     * Init authentication system regardless of whether we need a password.
+     * Required for proper PAM session support.
+     */
    auth_pw = get_authpw();
    if (sudo_auth_init(auth_pw) == -1) {
 	rval = -1;
 	goto done;
    }

-    /* Always prompt for a password when -k was specified with the command. */
+    if (need_pass) {
+	/* Always need a password when -k was specified with the command. */
 	if (ISSET(mode, MODE_IGNORE_TICKET)) {
 	    SET(validated, FLAG_CHECK_USER);
 	} else {
@@ -131,9 +127,21 @@ check_user(int validated, int mode)
 	     * If the user is not changing uid/gid, no need for a password.
 	     */
 	    if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
-	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
-	    user_is_exempt())
+		(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
+		|| user_is_exempt())
+		need_pass = FALSE;
+	}
+    }
+    if (!need_pass)
 	goto done;
+
+    /* Stash the tty's ctime for tty ticket comparison. */
+    if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
+	tty_info.dev = sb.st_dev;
+	tty_info.ino = sb.st_ino;
+	tty_info.rdev = sb.st_rdev;
+	if (tty_is_devpts(user_ttypath))
+	    ctim_get(&sb, &tty_info.ctime);
    }

    if (build_timestamp(&timestampdir, &timestampfile) == -1) {
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -440,13 +440,9 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    rebuild_env();

    /* Require a password if sudoers says so.  */
-    if (def_authenticate) {
-	int rc = check_user(validated, sudo_mode);
-	if (rc != TRUE) {
-	    rval = rc;
+    rval = check_user(validated, sudo_mode);
+    if (rval != TRUE)
 	goto done;
-	}
-    }

    /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
    /* XXX - causes confusion when root is not listed in sudoers */