Bug 804123
Summary: | sudo does not call pam_close_session() or pam_end() | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dustin Black <dblack> |
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | amarecek, cww, dblack, ksrot, pvrabec |
Target Milestone: | rc | ||
Target Release: | 6.4 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sudo-1.8.6p3-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause:
Passing a different PAM handle to PAM API functions where the same handle should be used. This is caused by initializing the global variable holding the PAM handle from a child process, which has a separate address space and thus the initialization has no effect on the parent's PAM handle where the pam_end_sessions functions is called.
Consequence:
(from comment #3)
A module may rely on being called at session close in order to release resources or make important administrative changes, which now won't happen.
Fix:
Fixed by rebasing to a newer upstream version which uses the PAM API correctly, i.e. initializes one PAM handle and uses it in all related PAM API function calls.
Result:
PAM session is closed correctly.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:44:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 782183 |
Description
Dustin Black
2012-03-16 15:14:47 UTC
Hi, does this bug has any consequences that can be observed? I mean, is there any memory leak, error message,.. Can we check the bug/fix in some "common way", different from mentioned approach, gdb or systemtap...? The issue was identified through code analysis, rather than through any known ill effect, afaik. The argument is that sudo does not follow PAM conventions, and it could prevent PAM modules from working correctly, in perhaps significant ways. A module may rely on being called at session close in order to release resources or make important administrative changes, which now won't happen. This is especially a concern considering that this is a security-critical component. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0363.html |