Add PAM "session" support to pam_cap.so.
This is an attempt to address:
https://bugzilla.kernel.org/show_bug.cgi?id=214377
The basic structure is you configure PAM with a config like this:
#%PAM-1.0
auth required pam_cap.so use_session keepcaps
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session optional pam_cap.so
Here the "auth" part prepares the application with "keepcaps", and the
"use_session" instructs the module to apply any IAB tuple for the user
at session open time and not during the setcred (auth) flow.
This has been tested against the contrib/sucap implementation of su.
The "use_session" support should work with more standard PAM enabled
apps too, but I'll wait for some positive feedback (see the bug)
before declaring it stable.
FWIW the contrib/sucap/su app also supports this config for Ambient
vector setting (without a "session" invocation of pam_cap.so):
#%PAM-1.0
auth required pam_cap.so
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
but that is because the sucap/su app is more tightly integrated with
libcap than the standard PAM apps.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
3 files changed
