static pam_handle_t *pamh;
int
-pam_init(struct passwd *pw, char **promptp, sudo_auth *auth)
+pam_init(struct passwd *pw, sudo_auth *auth)
{
static struct pam_conv pam_conv;
static int pam_status;
int *pam_status = (int *) auth->data;
/* If successful, we can't close the session until pam_end_session() */
- if (auth->status == AUTH_SUCCESS)
+ if (*pam_status == AUTH_SUCCESS)
return AUTH_SUCCESS;
*pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+ pamh = NULL;
return *pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}
goto done;
}
- /* If the user did not have to authenticate there is no pam handle yet. */
- if (pamh == NULL)
- pam_init(pw, NULL, NULL);
-
/*
* Update PAM_USER to reference the user we are running the command
* as, as opposed to the user we authenticated as.
}
int
-pam_end_session(sudo_auth *auth)
+pam_end_session(struct passwd *pw, sudo_auth *auth)
{
int status = PAM_SUCCESS;
- if (pamh) {
+ if (pamh != NULL) {
#ifndef NO_PAM_SESSION
+ /*
+ * Update PAM_USER to reference the user we are running the command
+ * as to match the call to pam_open_session().
+ */
+ (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
(void) pam_close_session(pamh, PAM_SILENT);
#endif
status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+ pamh = NULL;
}
+
return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}