[sudo-workers] pam_setcred parameter

Radovan Sroka rsroka at redhat.com
Mon Jan 21 03:54:58 MST 2019

Hi Todd,

I think that sudo uses pam_setcred incorrectly.


After this commit sudo uses PAM_REINITIALIZE_CRED instead of
PAM_ESTABLISH_CRED which is wrong. Reinitialize flag can be used only in
case when Establish was already used and there was some change like UID or

Some pam modules like pam_cap.so ignore Reinitialize and support only
Establish and that's why it is not working with sudo since that commit and
does not apply capabilities to new process.

Steps to Reproduce:
[root at rhel7u3-5 ~]# useradd netdiag
[root at rhel7u3-5 ~]# setcap cap_net_raw+ei /usr/sbin/tcpdump
[root at rhel7u3-5 ~]# echo "cap_net_raw+ei netdiag" >
[root at rhel7u3-5 ~]# cat /etc/pam.d/sudo
auth    optional    pam_cap.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
After commit:
[root at rhel7u3-5 ~]# sudo -u netdiag /usr/sbin/tcpdump -i lo
tcpdump: lo: You don't have permission to capture on that device
(socket: Operation not permitted)

Before commit:
[root at rhel7u3-5 ~]# sudo -u netdiag /usr/sbin/tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

I suggest to use only Established or both as subsequent calls.

Radovan Sroka
Software Engineer | Security Technologies | Red hat, Inc.

More information about the sudo-workers mailing list