213279 – Add a pam_cap.so "autoauth" module option

Bug 213279 - Add a pam_cap.so "autoauth" module option

Summary: Add a pam_cap.so "autoauth" module option

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	Tools
Classification:	Unclassified
Component:	libcap (show other bugs)
Hardware:	All Linux

Importance:	P1 enhancement
Assignee:	Andrew G. Morgan

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-30 22:57 UTC by Andrew G. Morgan
Modified:	2021-05-30 23:54 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	n/a
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrew G. Morgan 2021-05-30 22:57:42 UTC

It appears that there are some cases where PAM configs to pam_cap.so might benefit from successful (pass through) authentication, and only useful action as part of the setcred function.

An example of this was discussed in this Q&A:

https://unix.stackexchange.com/questions/650400/granting-capabilities-to-a-user-through-pam-doesnt-apply-to-ssh

It is not clear to me why we can't support this. As such, I plan to add an "autoauth" module arg feature which will cause the module to return PAM_SUCCESS when it is executed as pam_sm_authenticate(). The pam_sm_setcred() invocation will ignore this argument, and apply the inheritable capabilities associated with the user.

Comment 1 Andrew G. Morgan 2021-05-30 23:54:37 UTC

Fixed with:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=071efa09e906a3d6928b49778b1a28ad7c0db5be

Note You need to log in before you can comment on or make changes to this bug.