We need to init the auth system regardless of whether we need a

password since we will be closing the PAM session in the monitor process. Fixes a crash in the monitor on Solaris; bugzilla #518
2025-08-31 14:25:15 +00:00 · 2011-10-25 10:08:26 -04:00
parent ab75dd2e30
commit 9b2c889812
2 changed files with 32 additions and 28 deletions
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -104,8 +104,37 @@ check_user(int validated, int mode)
    char *prompt;
    struct stat sb;
    int status, rval = TRUE;
+    int need_pass = def_authenticate;
    debug_decl(check_user, SUDO_DEBUG_AUTH)

+    /*
+     * Init authentication system regardless of whether we need a password.
+     * Required for proper PAM session support.
+     */
+    auth_pw = get_authpw();
+    if (sudo_auth_init(auth_pw) == -1) {
+	rval = -1;
+	goto done;
+    }
+
+    if (need_pass) {
+	/* Always need a password when -k was specified with the command. */
+	if (ISSET(mode, MODE_IGNORE_TICKET)) {
+	    SET(validated, FLAG_CHECK_USER);
+	} else {
+	    /*
+	     * Don't prompt for the root passwd or if the user is exempt.
+	     * If the user is not changing uid/gid, no need for a password.
+	     */
+	    if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+		(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
+		|| user_is_exempt())
+		need_pass = FALSE;
+	}
+    }
+    if (!need_pass)
+	goto done;
+
    /* Stash the tty's ctime for tty ticket comparison. */
    if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
 	tty_info.dev = sb.st_dev;
@@ -115,27 +144,6 @@ check_user(int validated, int mode)
 	    ctim_get(&sb, &tty_info.ctime);
    }

-    /* Init authentication system regardless of whether we need a password. */
-    auth_pw = get_authpw();
-    if (sudo_auth_init(auth_pw) == -1) {
-	rval = -1;
-	goto done;
-    }
-
-    /* Always prompt for a password when -k was specified with the command. */
-    if (ISSET(mode, MODE_IGNORE_TICKET)) {
-	SET(validated, FLAG_CHECK_USER);
-    } else {
-	/*
-	 * Don't prompt for the root passwd or if the user is exempt.
-	 * If the user is not changing uid/gid, no need for a password.
-	 */
-	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
-	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
-	    user_is_exempt())
-	    goto done;
-    }
-
    if (build_timestamp(&timestampdir, &timestampfile) == -1) {
 	rval = -1;
 	goto done;
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -440,13 +440,9 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    rebuild_env();

    /* Require a password if sudoers says so.  */
-    if (def_authenticate) {
-	int rc = check_user(validated, sudo_mode);
-	if (rc != TRUE) {
-	    rval = rc;
-	    goto done;
-	}
-    }
+    rval = check_user(validated, sudo_mode);
+    if (rval != TRUE)
+	goto done;

    /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
    /* XXX - causes confusion when root is not listed in sudoers */