Bug 215147
| Summary: | PAM substack compatibility with pam_cap.so | ||
|---|---|---|---|
| Product: | Tools | Reporter: | Andrew G. Morgan (morgan) |
| Component: | libcap | Assignee: | Tools/Libcap default virtual assignee (tools_libcap) |
| Status: | RESOLVED ANSWERED | ||
| Severity: | normal | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | n/a | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | Patch for util-linux to make it Linux-PAM compliant | ||
|
Description
Andrew G. Morgan
2021-11-26 15:58:45 UTC
Created attachment 299743 [details]
Patch for util-linux to make it Linux-PAM compliant
This is needed for pam_cap.so to work with keepcaps and defer module arguments.
Using the 2.61-0 spec file I've added to https://bugzilla.redhat.com/show_bug.cgi?id=1919609 I had no trouble getting the util-linux su version from util-linux (that included the attached patch) to support ambient capabilities. This is the auth selection from system-auth that I'm using (it has the single pam_cap.so line) added over what Fedora-34 defaults to: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth optional pam_cap.so keepcaps defer auth sufficient pam_unix.so nullok try_first_pass auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so |