Call pam_open_session() and pam_close_session() to give pam_limits a

chance to run. Idea from Karel Zak.
2025-08-30 22:05:46 +00:00 · 2005-05-27 05:59:02 +00:00
parent c7ea24f2cc
commit d3b45ae3f1
1 changed files with 12 additions and 0 deletions
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -195,6 +195,18 @@ pam_prep_user(pw)
     */
    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

+    /*
+     * To fully utilize PAM sessions we would need to keep a
+     * sudo process around until the command exits.  However, we
+     * can at least cause pam_limits to be run by opening and then
+     * immediately closing the session.
+     */
+    if (pam_open_session(pamh, 0) != PAM_SUCCESS) {
+	(void) pam_end(pamh, error);
+	return(AUTH_FAILURE);
+    }
+    (void) pam_close_session(pamh, 0);
+
    if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
 	return(AUTH_SUCCESS);
    else