diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2021-09-13 21:08:42 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2021-09-13 21:08:42 -0700 |
| commit | fc6253b9de68dafae1927b2bcbfcef9e9ec6e05a (patch) | |
| tree | 4ff7116780d9bc5ab717f4c4a539e97a5380af17 /pam_cap/test_pam_cap.c | |
| parent | a3446b5c6e0879b289287c9a87a57cbdc95e99da (diff) | |
| download | libcap-fc6253b9de68dafae1927b2bcbfcef9e9ec6e05a.tar.gz | |
Add PAM "session" support to pam_cap.so.
This is an attempt to address:
https://bugzilla.kernel.org/show_bug.cgi?id=214377
The basic structure is you configure PAM with a config like this:
#%PAM-1.0
auth required pam_cap.so use_session keepcaps
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session optional pam_cap.so
Here the "auth" part prepares the application with "keepcaps", and the
"use_session" instructs the module to apply any IAB tuple for the user
at session open time and not during the setcred (auth) flow.
This has been tested against the contrib/sucap implementation of su.
The "use_session" support should work with more standard PAM enabled
apps too, but I'll wait for some positive feedback (see the bug)
before declaring it stable.
FWIW the contrib/sucap/su app also supports this config for Ambient
vector setting (without a "session" invocation of pam_cap.so):
#%PAM-1.0
auth required pam_cap.so
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
but that is because the sucap/su app is more tightly integrated with
libcap than the standard PAM apps.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'pam_cap/test_pam_cap.c')
| -rw-r--r-- | pam_cap/test_pam_cap.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/pam_cap/test_pam_cap.c b/pam_cap/test_pam_cap.c index 4c67cad..0a58da6 100644 --- a/pam_cap/test_pam_cap.c +++ b/pam_cap/test_pam_cap.c @@ -134,31 +134,35 @@ struct vargs { static int test_arg_parsing(void) { static struct vargs vs[] = { { - { 1, 0, 0, NULL, NULL, NULL }, + { 1, 0, 0, 0, NULL, NULL, NULL }, { "debug", NULL } }, { - { 0, 1, 0, NULL, NULL, NULL }, + { 0, 1, 0, 0, NULL, NULL, NULL }, { "keepcaps", NULL } }, { - { 0, 0, 1, NULL, NULL, NULL }, + { 0, 0, 1, 0, NULL, NULL, NULL }, { "autoauth", NULL } }, { - { 1, 0, 1, NULL, NULL, NULL }, + { 1, 0, 1, 0, NULL, NULL, NULL }, { "autoauth", "debug", NULL } }, { - { 0, 0, 0, NULL, "/over/there", NULL }, + { 0, 0, 0, 0, NULL, "/over/there", NULL }, { "config=/over/there", NULL } }, { - { 0, 0, 0, NULL, NULL, "^cap_setfcap" }, + { 0, 0, 0, 0, NULL, NULL, "^cap_setfcap" }, { "default=^cap_setfcap", NULL } }, { - { 0, 0, 0, NULL, NULL, NULL }, + { 0, 0, 0, 1, NULL, NULL, NULL }, + { "use_session", NULL } + }, + { + { 0, 0, 0, 0, NULL, NULL, NULL }, { NULL } } }; |