[sudo-workers] pam_setcred parameter

Todd C. Miller Todd.Miller at sudo.ws
Mon Jan 21 05:42:39 MST 2019

On Mon, 21 Jan 2019 11:54:58 +0100, Radovan Sroka wrote:

> I think that sudo uses pam_setcred incorrectly.
> https://www.sudo.ws/repos/sudo/rev/ec23c3bf41bb
> After this commit sudo uses PAM_REINITIALIZE_CRED instead of
> PAM_ESTABLISH_CRED which is wrong. Reinitialize flag can be used only in
> case when Establish was already used and there was some change like UID or
> something.

Please see https://bugzilla.sudo.ws/show_bug.cgi?id=642 for the
reason for this chaange.  Since sudo is changing the uid of an
already-established user session, PAM_REINITIALIZE_CRED is appropriate.

> Some pam modules like pam_cap.so ignore Reinitialize and support only
> Establish and that's why it is not working with sudo since that commit and
> does not apply capabilities to new process.

That sounds like a bug in those PAM modules, not sudo.

 - todd

More information about the sudo-workers mailing list