sudo 1.6.9 interactions with PAM and libpam_afs_session
2007-11-22 14:01 - ugcs security
For those using libpam_afs_session or any other PAM session modules on Debian Lenny or Sid:
sudo 1.6.9p6-1, which migrated into testing on 2007-11-04, introduced a change in which pam_open_session and pam_close_session are now called before and after command execution.
Previously, in the 1.6.8 branch of sudo, these calls were not made, and therefore there were no references to session modules in /etc/pam.d/sudo. The new calls resulted in the session entries being read from /etc/pam.d/other (the default PAM stack file); in Debian, this defaults to reading /etc/pam.d/common-session, etc. However, the Debian way is to explicitly @include PAM common-* files in files instead of just letting things fall through; it’s a bug that sudo now calls the session stack but doesn’t mention it in its PAM file (one reason it was so difficult for me to track this down).
Since we were invoking pam_afs_session.so and pam_unix.so in common-session, a new PAG was being created on every sudo, and the Unix logging of sessions was also being triggered unnecessarily. The creation of new PAG on sudo meant that we couldn’t read files in our own home directories after sudoing, so trying a dpkg -i ~/package_1.0.0-1_i386.deb, running nano (due to accesses to ~/.nano_history), etc. were all triggering all sort of nasty warnings.
For us, the fix was to add the entries from common-session to /etc/pam.d/sudo except for the pam_afs_session.so entry, causing the default common-session entries to not be invoked since there are now session entries in /etc/pam.d/sudo. However, I don’t see an easy default way for Debian to do things – using pam_permit might be a sensible default (and wouldn’t cause any /new/ behavior compared to 1.6.8), but the common-* defaults exist for a reason…
I’ve filed Debian Bug #452457 about this issue.
<- A Phyrric victory Teaching an Intro to Game Design class ->
I am a debian fan. I’m grateful to you as you’ve filled the bug. Thanks.
— Jogos Mar 30, 08:05 PM #