sudo uses PAM incorrectly: it calls pam_open_session() immediately followed by
pam_close_session() and only then exec()s the actual process.
pam_close_session() must be closed after the process terminates again, not
before. This issue confused a number of PAM modules quite a bit.
login(1) does that correctly. After calling pam_open_session() it forks, and
then in the parent process waits for the child to terminate and then calls
sudo must follow the same scheme.
sudo(8) does not fork(), it calls exec() only. This is feature...
It's necessary to start PAM session, because some resources are defined/restricted during session initialization (e.g. pam_limit). For more details see bug #154511.
Upstream fix: http://www.sudo.ws/repos/sudo/rev/fb3d7de50a05
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.
More information and reason for this action is here:
sudo-1.7.4p4-1.fc14 has been submitted as an update for Fedora 14.
sudo-1.7.4p4-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update sudo'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sudo-1.7.4p4-1.fc14
sudo-1.7.4p4-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.