From a68e821ef931cf02c2e81c22bc974a55beeb0ca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= Date: Wed, 2 Oct 2024 00:00:29 +0200 Subject: [PATCH] plugins/pam: Check the user didn't change during PAM transaction PAM modules can change the user during their execution, in such case, sudo would still use the user that has been provided giving potentially access to another user with the credentials of another one. So prevent this to happen, by ensuring that the final PAM user is matching the one which started the transaction --- plugins/sudoers/auth/pam.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 3b678bf4d4..a150551caa 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -330,6 +330,19 @@ sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw, debug_return_int(AUTH_FAILURE); } + if (*pam_status == PAM_SUCCESS) { + const char *pam_user = NULL; + + *pam_status = pam_get_item(pamh, PAM_USER, (const void **) &pam_user); + if (*pam_status == PAM_SUCCESS && + (pam_user == NULL || strcmp(pam_user, pw->pw_name) != 0)) { + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to authenticate '%s' as user '%s'", + pw->pw_name, pam_user); + debug_return_int(AUTH_FAILURE); + } + } + if (getpass_error) { /* error or ^C from tgetpass() or running non-interactive */ debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_INTR);