Package: sudo Version: 1.6.9p6-1 Severity: normal sudo 1.6.9p6-1 introduces a change in which pam_open_session and pam_close_session are now called before and after command execution.
Previously, in the 1.6.8 branch of sudo, these calls were not made, and therefore there were no references to PAM session modules in /etc/pam.d/sudo. The new calls result in the session entries being read from /etc/pam.d/other (the default PAM stack file); in Debian, this defaults to reading /etc/pam.d/common-session, etc. However, if a user has hardened his/her Debian installation according to Javier Fernandez-Sanguino Pena's _Securing Debian Manual_ version 3.1.2), instead, the following session entries from /etc/pam.d/default are used and sudo becomes unusable: session required pam_unix_session.so session required pam_warn.so session required pam_deny.so The solution is to specify a sensible default for the session stack to avoid falling through to /etc/pam.d/default. I would suggest either: session required pam_permit.so (which duplicates the behvaior of sudo 1.6.8 in which no session calls were made) [or] @include common-session (which will probably result in tolerable behavior, but still be a bit irritating in terms of spurious pam_unix session open/close calls in auth.log and triggering of things in common-session such as PAG creation with pam_afs_session.so in our case) This also might be a good occasion to insert a fix for #402329 by adding in an entry for pam_limits.so as well: session required pam_limits.so Regards, Elizabeth Fong Lead sysadmin, UGCS [EMAIL PROTECTED] http://www.ugcs.caltech.edu -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.22 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages sudo depends on: ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries ii libpam-modules 0.99.7.1-5 Pluggable Authentication Modules f ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l sudo recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
