From 58eca19f740f632262ba915a0b4160f7bbac134b Mon Sep 17 00:00:00 2001
From: Tim McMullan <mcmullan@schedmd.com>
Date: Thu, 2 Nov 2023 16:17:10 -0400
Subject: [PATCH 1/4] pam_slurm - switch to internal version of
 _pam_drop_reply()

Linux-PAM deprecated _pam_drop_reply().  Implement a basic replacement
internally and use that function instead.

For our use case the response message is simply a single NULL string.

Cherry-picked: bb7e50a8a3
Ticket: 17724
---
 contribs/pam/pam_slurm.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/contribs/pam/pam_slurm.c b/contribs/pam/pam_slurm.c
index 20d21a9f4ac..808aef3c18b 100644
--- a/contribs/pam/pam_slurm.c
+++ b/contribs/pam/pam_slurm.c
@@ -176,6 +176,19 @@ _log_msg(int level, const char *format, ...)
 	return;
 }
 
+/*
+ * pam 1.5.3 stopped providing _pam_drop_reply().  Our use does not currently
+ * fetch sensitive data so simply free this structure.
+ */
+static void _pam_slurm_drop_response(struct pam_response *reply, int replies)
+{
+	for (int i = 0; i < replies; i++) {
+		if (reply[i].resp)
+			free(reply[i].resp);
+	}
+	free(reply);
+}
+
 /*
  *  Parses module args passed via PAM's config.
  */
@@ -414,7 +427,7 @@ _send_denial_msg(pam_handle_t *pamh, struct _options *opts,
 		_log_msg(LOG_ERR, "unable to converse with app: %s",
 			 pam_strerror(pamh, retval));
 	if (prsp != NULL)
-		_pam_drop_reply(prsp, 1);
+		_pam_slurm_drop_response(prsp, 1);
 
 	return;
 }

From fc7b9a765acf39453e2660d06372c722c00dd1cd Mon Sep 17 00:00:00 2001
From: Tim McMullan <mcmullan@schedmd.com>
Date: Thu, 2 Nov 2023 16:18:46 -0400
Subject: [PATCH 2/4] pam_slurm_adopt - switch to internal version of
 _pam_drop_reply()

Linux-PAM deprecated _pam_drop_reply().  Implement a basic replacement
internally and use that function instead.

For our use case the response message is simply a single NULL string.

Cherry-picked: 07d30f8f2e
Ticket: 17724
---
 contribs/pam_slurm_adopt/helper.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/contribs/pam_slurm_adopt/helper.c b/contribs/pam_slurm_adopt/helper.c
index 69a4d3af9ab..7c6bbfa095e 100644
--- a/contribs/pam_slurm_adopt/helper.c
+++ b/contribs/pam_slurm_adopt/helper.c
@@ -100,6 +100,19 @@ _log_msg(int level, const char *format, ...)
 	return;
 }
 
+/*
+ * pam 1.5.3 stopped providing _pam_drop_reply().  Our use does not currently
+ * fetch sensitive data so simply free this structure.
+ */
+static void _pam_slurm_drop_response(struct pam_response *reply, int replies)
+{
+	for (int i = 0; i < replies; i++) {
+		if (reply[i].resp)
+			free(reply[i].resp);
+	}
+	free(reply);
+}
+
 /*
  *  Sends a message to the application informing the user
  *  that access was denied due to Slurm.
@@ -141,7 +154,7 @@ send_user_msg(pam_handle_t *pamh, const char *mesg)
 		_log_msg(LOG_ERR, "unable to converse with app: %s",
 			 pam_strerror(pamh, retval));
 	if (prsp != NULL)
-		_pam_drop_reply(prsp, 1);
+		_pam_slurm_drop_response(prsp, 1);
 
 	return;
 }

From 5a5bb0e287b73a63af766b202de530b421202801 Mon Sep 17 00:00:00 2001
From: Albert Gil <albert.gil@schedmd.com>
Date: Sun, 15 Dec 2024 12:59:01 +0100
Subject: [PATCH 3/4] Testsuite - Improve run_command avoiding su

Ticket: 21648
Cherry-picked: d132397671
---
 testsuite/python/lib/atf.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/testsuite/python/lib/atf.py b/testsuite/python/lib/atf.py
index eee7f420c74..a928bc5d6b4 100644
--- a/testsuite/python/lib/atf.py
+++ b/testsuite/python/lib/atf.py
@@ -185,9 +185,16 @@ def run_command(
                     "This test requires the test user to have unprompted sudo rights",
                     allow_module_level=True,
                 )
-            # Use su to honor ulimits, specially core
             cp = subprocess.run(
-                ["sudo", "su", user, "/bin/bash", "-lc", command],
+                [
+                    "sudo",
+                    "--preserve-env=PATH",
+                    "-u",
+                    user,
+                    "/bin/bash",
+                    "-lc",
+                    command,
+                ],
                 capture_output=True,
                 text=True,
                 **additional_run_kwargs,

From dee600582d772c49704e5901d20aa28ddef87e7c Mon Sep 17 00:00:00 2001
From: Albert Gil <albert.gil@schedmd.com>
Date: Sun, 15 Dec 2024 13:03:08 +0100
Subject: [PATCH 4/4] Testsuite - Fix test_102_1 ensuring PATH is preserved

Ticket: 21648
Cherry-picked: 162d73ae7a
---
 testsuite/python/tests/test_102_1.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testsuite/python/tests/test_102_1.py b/testsuite/python/tests/test_102_1.py
index 88f5d8f62b0..30cc2ef4aef 100644
--- a/testsuite/python/tests/test_102_1.py
+++ b/testsuite/python/tests/test_102_1.py
@@ -388,7 +388,7 @@ def test_add_federation_existing_cluster():
     )
     child = pexpect.spawn(
         "sudo",
-        ["-nu", atf.properties["slurm-user"], "/bin/bash", "-lc", command],
+        ["--preserve-env=PATH", "-nu", atf.properties["slurm-user"], "/bin/bash", "-lc", command],
         encoding="utf-8",
     )
     assert (