Bug 213279

Summary:	Add a pam_cap.so "autoauth" module option
Product:	Tools	Reporter:	Andrew G. Morgan (morgan)
Component:	libcap	Assignee:	Andrew G. Morgan (morgan)
Status:	RESOLVED CODE_FIX
Severity:	enhancement
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	n/a	Subsystem:
Regression:	No	Bisected commit-id:

Description Andrew G. Morgan 2021-05-30 22:57:42 UTC

It appears that there are some cases where PAM configs to pam_cap.so might benefit from successful (pass through) authentication, and only useful action as part of the setcred function.

An example of this was discussed in this Q&A:

https://unix.stackexchange.com/questions/650400/granting-capabilities-to-a-user-through-pam-doesnt-apply-to-ssh

It is not clear to me why we can't support this. As such, I plan to add an "autoauth" module arg feature which will cause the module to return PAM_SUCCESS when it is executed as pam_sm_authenticate(). The pam_sm_setcred() invocation will ignore this argument, and apply the inheritable capabilities associated with the user.

Comment 1 Andrew G. Morgan 2021-05-30 23:54:37 UTC

Fixed with:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=071efa09e906a3d6928b49778b1a28ad7c0db5be