[PATCH] Support ambient capability vector in Linux PAM

Damien Miller djm at mindrot.org
Sat Oct 2 11:21:16 AEST 2021

On Fri, 1 Oct 2021, Björn Fischer wrote:

> Hello everyone,
> originating from this discussion
>    https://github.com/shadow-maint/shadow/pull/408
> and the work recently done in Linux libcap
>    https://bugzilla.kernel.org/show_bug.cgi?id=214377#c3
> I would like to propose this patch to support the ambient
> capability vector in Linux PAM + libcap-2.58+.
> Background for this is that the setuid() systemcall drops
> all ambient capabilities for obvious security reasons. So,
> to support the ambient vector by using pam_cap.so in any
> login procedure, capabilites have to be set _after_ the
> last call to setuid(), which leaves the PAM cleanup code
> path as the only option.
> Calling pam_end() with PAM_DATA_SILENT is documented in
> http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end
> Concerned about portability I am unsure if testing for
> PAM_DATA_SILENT is sufficient or if __LINUX_PAM__ should be
> preferred.

I guess my only concern is that this would cause pam_end() to
potentially be called multiple times, once in the parent process
(without PAM_DATA_SILENT) and zero to many times in child session

E.g. a forwarding-only session might have no child session process,
whereas a multiplexed connection might have many child processes,
all of which will share the same pam_handle.

How will PAM cope with this?


More information about the openssh-unix-dev mailing list