Another attempt at supporting Ambient vector setting from pam_cap.so.
While the session idea worked with contrib/sucap/su.c, it failed on
more traditional PAM apps. For a second (likely last) attempt to find a
path, I've deleted the session support and now attempt to do the setting
via a PAM data item cleanup() callback. In the contrib/sucap/su.c code,
evolved from the original SimplePAMApps 'su', there is a
pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT)
from within the fork()d launcher code, so I hope this convention is
standard for all the PAM apps that came after.
The suggested config for this module for an app, that wants to support
the Ambient vector, is thus now:
#%PAM-1.0
auth required pam_cap.so keepcaps defer
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
This is all part of an effort to address:
https://bugzilla.kernel.org/show_bug.cgi?id=214377
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
3 files changed
