[PATCH] Support ambient capability vector in Linux PAM
Damien Miller
djm at mindrot.org
Sat Oct 2 11:21:16 AEST 2021
On Fri, 1 Oct 2021, Björn Fischer wrote:
> Hello everyone,
>
> originating from this discussion
>
> https://github.com/shadow-maint/shadow/pull/408
>
> and the work recently done in Linux libcap
>
> https://bugzilla.kernel.org/show_bug.cgi?id=214377#c3
>
> I would like to propose this patch to support the ambient
> capability vector in Linux PAM + libcap-2.58+.
>
> Background for this is that the setuid() systemcall drops
> all ambient capabilities for obvious security reasons. So,
> to support the ambient vector by using pam_cap.so in any
> login procedure, capabilites have to be set _after_ the
> last call to setuid(), which leaves the PAM cleanup code
> path as the only option.
>
> Calling pam_end() with PAM_DATA_SILENT is documented in
>
> http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end
>
> Concerned about portability I am unsure if testing for
> PAM_DATA_SILENT is sufficient or if __LINUX_PAM__ should be
> preferred.
I guess my only concern is that this would cause pam_end() to
potentially be called multiple times, once in the parent process
(without PAM_DATA_SILENT) and zero to many times in child session
processes.
E.g. a forwarding-only session might have no child session process,
whereas a multiplexed connection might have many child processes,
all of which will share the same pam_handle.
How will PAM cope with this?
-d
More information about the openssh-unix-dev
mailing list