[sudo-workers] pam_setcred parameter
Todd C. Miller
Todd.Miller at sudo.ws
Mon Jan 21 05:42:39 MST 2019
On Mon, 21 Jan 2019 11:54:58 +0100, Radovan Sroka wrote:
> I think that sudo uses pam_setcred incorrectly.
>
> https://www.sudo.ws/repos/sudo/rev/ec23c3bf41bb
>
> After this commit sudo uses PAM_REINITIALIZE_CRED instead of
> PAM_ESTABLISH_CRED which is wrong. Reinitialize flag can be used only in
> case when Establish was already used and there was some change like UID or
> something.
Please see https://bugzilla.sudo.ws/show_bug.cgi?id=642 for the
reason for this chaange. Since sudo is changing the uid of an
already-established user session, PAM_REINITIALIZE_CRED is appropriate.
> Some pam modules like pam_cap.so ignore Reinitialize and support only
> Establish and that's why it is not working with sudo since that commit and
> does not apply capabilities to new process.
That sounds like a bug in those PAM modules, not sudo.
- todd
More information about the sudo-workers
mailing list