Add pam_silent sudoers option.

Inspired by PR #368
GitHub issue #216

Author: millert

docs/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "March 9, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "April 17, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3824,6 +3824,22 @@ by default.
 .sp
 This setting is only supported by version 1.8.8 or higher.
 .TP 18n
+pam_silent
+If set, PAM authentication will be performed in silent mode.
+This prevents PAM authentication modules from generating output.
+In some cases, this may suppress important information about why
+authentication failed.
+For example, PAM modules such as
+\fIpam_faillock\fR
+will only display a warning if
+\fIpam_silent\fR
+is disabled.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.16 or higher.
+.TP 18n
 passprompt_override
 If set, the prompt specified by
 \fIpassprompt\fR

docs/sudoers.mdoc.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd March 9, 2024
+.Dd April 17, 2024
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3623,6 +3623,21 @@ This flag is
 by default.
 .Pp
 This setting is only supported by version 1.8.8 or higher.
+.It pam_silent
+If set, PAM authentication will be performed in silent mode.
+This prevents PAM authentication modules from generating output.
+In some cases, this may suppress important information about why
+authentication failed.
+For example, PAM modules such as
+.Em pam_faillock
+will only display a warning if
+.Em pam_silent
+is disabled.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.16 or higher.
 .It passprompt_override
 If set, the prompt specified by
 .Em passprompt

plugins/sudoers/auth/pam.c

@@ -318,7 +318,7 @@ sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw,
 	}
 
     /* PAM_SILENT prevents the authentication service from generating output. */
-    *pam_status = pam_authenticate(pamh, PAM_SILENT);
+    *pam_status = pam_authenticate(pamh, def_pam_silent ? PAM_SILENT : 0);
 
     /* Restore def_prompt, the passed-in prompt may be freed later. */
     def_prompt = PASSPROMPT;

plugins/sudoers/def_data.c

@@ -441,6 +441,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"pam_acct_mgmt", T_FLAG,
 	N_("Perform PAM account validation management"),
 	NULL,
+    }, {
+	"pam_silent", T_FLAG,
+	N_("Do not allow PAM authentication modules to generate output"),
+	NULL,
     }, {
 	"maxseq", T_STR,
 	N_("Maximum I/O log sequence number: %s"),

plugins/sudoers/def_data.h

@@ -194,135 +194,137 @@
 #define def_pam_session         (sudo_defs_table[I_PAM_SESSION].sd_un.flag)
 #define I_PAM_ACCT_MGMT         96
 #define def_pam_acct_mgmt       (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
-#define I_MAXSEQ                97
+#define I_PAM_SILENT            97
+#define def_pam_silent          (sudo_defs_table[I_PAM_SILENT].sd_un.flag)
+#define I_MAXSEQ                98
 #define def_maxseq              (sudo_defs_table[I_MAXSEQ].sd_un.str)
-#define I_USE_NETGROUPS         98
+#define I_USE_NETGROUPS         99
 #define def_use_netgroups       (sudo_defs_table[I_USE_NETGROUPS].sd_un.flag)
-#define I_SUDOEDIT_CHECKDIR     99
+#define I_SUDOEDIT_CHECKDIR     100
 #define def_sudoedit_checkdir   (sudo_defs_table[I_SUDOEDIT_CHECKDIR].sd_un.flag)
-#define I_SUDOEDIT_FOLLOW       100
+#define I_SUDOEDIT_FOLLOW       101
 #define def_sudoedit_follow     (sudo_defs_table[I_SUDOEDIT_FOLLOW].sd_un.flag)
-#define I_ALWAYS_QUERY_GROUP_PLUGIN 101
+#define I_ALWAYS_QUERY_GROUP_PLUGIN 102
 #define def_always_query_group_plugin (sudo_defs_table[I_ALWAYS_QUERY_GROUP_PLUGIN].sd_un.flag)
-#define I_NETGROUP_TUPLE        102
+#define I_NETGROUP_TUPLE        103
 #define def_netgroup_tuple      (sudo_defs_table[I_NETGROUP_TUPLE].sd_un.flag)
-#define I_IGNORE_AUDIT_ERRORS   103
+#define I_IGNORE_AUDIT_ERRORS   104
 #define def_ignore_audit_errors (sudo_defs_table[I_IGNORE_AUDIT_ERRORS].sd_un.flag)
-#define I_IGNORE_IOLOG_ERRORS   104
+#define I_IGNORE_IOLOG_ERRORS   105
 #define def_ignore_iolog_errors (sudo_defs_table[I_IGNORE_IOLOG_ERRORS].sd_un.flag)
-#define I_IGNORE_LOGFILE_ERRORS 105
+#define I_IGNORE_LOGFILE_ERRORS 106
 #define def_ignore_logfile_errors (sudo_defs_table[I_IGNORE_LOGFILE_ERRORS].sd_un.flag)
-#define I_MATCH_GROUP_BY_GID    106
+#define I_MATCH_GROUP_BY_GID    107
 #define def_match_group_by_gid  (sudo_defs_table[I_MATCH_GROUP_BY_GID].sd_un.flag)
-#define I_SYSLOG_MAXLEN         107
+#define I_SYSLOG_MAXLEN         108
 #define def_syslog_maxlen       (sudo_defs_table[I_SYSLOG_MAXLEN].sd_un.uival)
-#define I_IOLOG_USER            108
+#define I_IOLOG_USER            109
 #define def_iolog_user          (sudo_defs_table[I_IOLOG_USER].sd_un.str)
-#define I_IOLOG_GROUP           109
+#define I_IOLOG_GROUP           110
 #define def_iolog_group         (sudo_defs_table[I_IOLOG_GROUP].sd_un.str)
-#define I_IOLOG_MODE            110
+#define I_IOLOG_MODE            111
 #define def_iolog_mode          (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
-#define I_FDEXEC                111
+#define I_FDEXEC                112
 #define def_fdexec              (sudo_defs_table[I_FDEXEC].sd_un.tuple)
-#define I_IGNORE_UNKNOWN_DEFAULTS 112
+#define I_IGNORE_UNKNOWN_DEFAULTS 113
 #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
-#define I_COMMAND_TIMEOUT       113
+#define I_COMMAND_TIMEOUT       114
 #define def_command_timeout     (sudo_defs_table[I_COMMAND_TIMEOUT].sd_un.ival)
-#define I_USER_COMMAND_TIMEOUTS 114
+#define I_USER_COMMAND_TIMEOUTS 115
 #define def_user_command_timeouts (sudo_defs_table[I_USER_COMMAND_TIMEOUTS].sd_un.flag)
-#define I_IOLOG_FLUSH           115
+#define I_IOLOG_FLUSH           116
 #define def_iolog_flush         (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
-#define I_SYSLOG_PID            116
+#define I_SYSLOG_PID            117
 #define def_syslog_pid          (sudo_defs_table[I_SYSLOG_PID].sd_un.flag)
-#define I_TIMESTAMP_TYPE        117
+#define I_TIMESTAMP_TYPE        118
 #define def_timestamp_type      (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
-#define I_AUTHFAIL_MESSAGE      118
+#define I_AUTHFAIL_MESSAGE      119
 #define def_authfail_message    (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str)
-#define I_CASE_INSENSITIVE_USER 119
+#define I_CASE_INSENSITIVE_USER 120
 #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
-#define I_CASE_INSENSITIVE_GROUP 120
+#define I_CASE_INSENSITIVE_GROUP 121
 #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
-#define I_LOG_ALLOWED           121
+#define I_LOG_ALLOWED           122
 #define def_log_allowed         (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
-#define I_LOG_DENIED            122
+#define I_LOG_DENIED            123
 #define def_log_denied          (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
-#define I_LOG_SERVERS           123
+#define I_LOG_SERVERS           124
 #define def_log_servers         (sudo_defs_table[I_LOG_SERVERS].sd_un.list)
-#define I_LOG_SERVER_TIMEOUT    124
+#define I_LOG_SERVER_TIMEOUT    125
 #define def_log_server_timeout  (sudo_defs_table[I_LOG_SERVER_TIMEOUT].sd_un.ival)
-#define I_LOG_SERVER_KEEPALIVE  125
+#define I_LOG_SERVER_KEEPALIVE  126
 #define def_log_server_keepalive (sudo_defs_table[I_LOG_SERVER_KEEPALIVE].sd_un.flag)
-#define I_LOG_SERVER_CABUNDLE   126
+#define I_LOG_SERVER_CABUNDLE   127
 #define def_log_server_cabundle (sudo_defs_table[I_LOG_SERVER_CABUNDLE].sd_un.str)
-#define I_LOG_SERVER_PEER_CERT  127
+#define I_LOG_SERVER_PEER_CERT  128
 #define def_log_server_peer_cert (sudo_defs_table[I_LOG_SERVER_PEER_CERT].sd_un.str)
-#define I_LOG_SERVER_PEER_KEY   128
+#define I_LOG_SERVER_PEER_KEY   129
 #define def_log_server_peer_key (sudo_defs_table[I_LOG_SERVER_PEER_KEY].sd_un.str)
-#define I_LOG_SERVER_VERIFY     129
+#define I_LOG_SERVER_VERIFY     130
 #define def_log_server_verify   (sudo_defs_table[I_LOG_SERVER_VERIFY].sd_un.flag)
-#define I_RUNAS_ALLOW_UNKNOWN_ID 130
+#define I_RUNAS_ALLOW_UNKNOWN_ID 131
 #define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
-#define I_RUNAS_CHECK_SHELL     131
+#define I_RUNAS_CHECK_SHELL     132
 #define def_runas_check_shell   (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
-#define I_PAM_RUSER             132
+#define I_PAM_RUSER             133
 #define def_pam_ruser           (sudo_defs_table[I_PAM_RUSER].sd_un.flag)
-#define I_PAM_RHOST             133
+#define I_PAM_RHOST             134
 #define def_pam_rhost           (sudo_defs_table[I_PAM_RHOST].sd_un.flag)
-#define I_RUNCWD                134
+#define I_RUNCWD                135
 #define def_runcwd              (sudo_defs_table[I_RUNCWD].sd_un.str)
-#define I_RUNCHROOT             135
+#define I_RUNCHROOT             136
 #define def_runchroot           (sudo_defs_table[I_RUNCHROOT].sd_un.str)
-#define I_LOG_FORMAT            136
+#define I_LOG_FORMAT            137
 #define def_log_format          (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
-#define I_SELINUX               137
+#define I_SELINUX               138
 #define def_selinux             (sudo_defs_table[I_SELINUX].sd_un.flag)
-#define I_ADMIN_FLAG            138
+#define I_ADMIN_FLAG            139
 #define def_admin_flag          (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
-#define I_INTERCEPT             139
+#define I_INTERCEPT             140
 #define def_intercept           (sudo_defs_table[I_INTERCEPT].sd_un.flag)
-#define I_LOG_SUBCMDS           140
+#define I_LOG_SUBCMDS           141
 #define def_log_subcmds         (sudo_defs_table[I_LOG_SUBCMDS].sd_un.flag)
-#define I_LOG_EXIT_STATUS       141
+#define I_LOG_EXIT_STATUS       142
 #define def_log_exit_status     (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
-#define I_INTERCEPT_AUTHENTICATE 142
+#define I_INTERCEPT_AUTHENTICATE 143
 #define def_intercept_authenticate (sudo_defs_table[I_INTERCEPT_AUTHENTICATE].sd_un.flag)
-#define I_INTERCEPT_ALLOW_SETID 143
+#define I_INTERCEPT_ALLOW_SETID 144
 #define def_intercept_allow_setid (sudo_defs_table[I_INTERCEPT_ALLOW_SETID].sd_un.flag)
-#define I_RLIMIT_AS             144
+#define I_RLIMIT_AS             145
 #define def_rlimit_as           (sudo_defs_table[I_RLIMIT_AS].sd_un.str)
-#define I_RLIMIT_CORE           145
+#define I_RLIMIT_CORE           146
 #define def_rlimit_core         (sudo_defs_table[I_RLIMIT_CORE].sd_un.str)
-#define I_RLIMIT_CPU            146
+#define I_RLIMIT_CPU            147
 #define def_rlimit_cpu          (sudo_defs_table[I_RLIMIT_CPU].sd_un.str)
-#define I_RLIMIT_DATA           147
+#define I_RLIMIT_DATA           148
 #define def_rlimit_data         (sudo_defs_table[I_RLIMIT_DATA].sd_un.str)
-#define I_RLIMIT_FSIZE          148
+#define I_RLIMIT_FSIZE          149
 #define def_rlimit_fsize        (sudo_defs_table[I_RLIMIT_FSIZE].sd_un.str)
-#define I_RLIMIT_LOCKS          149
+#define I_RLIMIT_LOCKS          150
 #define def_rlimit_locks        (sudo_defs_table[I_RLIMIT_LOCKS].sd_un.str)
-#define I_RLIMIT_MEMLOCK        150
+#define I_RLIMIT_MEMLOCK        151
 #define def_rlimit_memlock      (sudo_defs_table[I_RLIMIT_MEMLOCK].sd_un.str)
-#define I_RLIMIT_NOFILE         151
+#define I_RLIMIT_NOFILE         152
 #define def_rlimit_nofile       (sudo_defs_table[I_RLIMIT_NOFILE].sd_un.str)
-#define I_RLIMIT_NPROC          152
+#define I_RLIMIT_NPROC          153
 #define def_rlimit_nproc        (sudo_defs_table[I_RLIMIT_NPROC].sd_un.str)
-#define I_RLIMIT_RSS            153
+#define I_RLIMIT_RSS            154
 #define def_rlimit_rss          (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
-#define I_RLIMIT_STACK          154
+#define I_RLIMIT_STACK          155
 #define def_rlimit_stack        (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
-#define I_NONINTERACTIVE_AUTH   155
+#define I_NONINTERACTIVE_AUTH   156
 #define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
-#define I_LOG_PASSWORDS         156
+#define I_LOG_PASSWORDS         157
 #define def_log_passwords       (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag)
-#define I_PASSPROMPT_REGEX      157
+#define I_PASSPROMPT_REGEX      158
 #define def_passprompt_regex    (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list)
-#define I_INTERCEPT_TYPE        158
+#define I_INTERCEPT_TYPE        159
 #define def_intercept_type      (sudo_defs_table[I_INTERCEPT_TYPE].sd_un.tuple)
-#define I_INTERCEPT_VERIFY      159
+#define I_INTERCEPT_VERIFY      160
 #define def_intercept_verify    (sudo_defs_table[I_INTERCEPT_VERIFY].sd_un.flag)
-#define I_APPARMOR_PROFILE      160
+#define I_APPARMOR_PROFILE      161
 #define def_apparmor_profile    (sudo_defs_table[I_APPARMOR_PROFILE].sd_un.str)
-#define I_CMDDENIAL_MESSAGE     161
+#define I_CMDDENIAL_MESSAGE     162
 #define def_cmddenial_message   (sudo_defs_table[I_CMDDENIAL_MESSAGE].sd_un.str)
 
 enum def_tuple {

plugins/sudoers/def_data.in

@@ -304,6 +304,9 @@ pam_session
 pam_acct_mgmt
 	T_FLAG
 	"Perform PAM account validation management"
+pam_silent
+	T_FLAG
+	"Do not allow PAM authentication modules to generate output"
 maxseq
 	T_STR
 	"Maximum I/O log sequence number: %s"

plugins/sudoers/defaults.c

@@ -661,6 +661,7 @@ init_defaults(void)
     def_set_utmp = true;
     def_pam_acct_mgmt = true;
     def_pam_setcred = true;
+    def_pam_silent = true;
     def_syslog_maxlen = MAXSYSLOGLEN;
     def_case_insensitive_user = true;
     def_case_insensitive_group = true;