Sergio Gelato <sergio.gel...@astro.su.se> writes: > Package: libpam-afs-session > Version: 2.5-4
> When sudo's pam_setcred option is true (which it is by default in jessie > but not in previous releases; e.g. neither wheezy nor Ubuntu trusty are > affected by this problem out of the box), running sudo will result in > the loss of AFS tokens. These are destroyed by pam_afs_session on exit > from the sudo session. Adding > Defaults !pam_setcred > to /etc/sudoers is sufficient to cause the AFS tokens to survive (as > desired). Who loses tokens? The calling user outside of the sudo session, processes run during the sudo session, unrelated root processes on the system, or something else? > The problem seems to be caused by sudo's use of the > PAM_REINITIALIZE_CRED flag, which causes pam_sm_setcred() to not create > a new PAG. > I'm not quite sure how to apportion blame (between sudo and > pam_afs_session) nor how best to fix the issue; but others have been > puzzled by this change of behavior before (it was discussed on > openafs-info some time ago) so it should at least be documented (perhaps > in the release notes for jessie?) I'm inclined to call this a sudo bug, since calling PAM_REINITIALIZE_CRED and then pam_open_session makes no sense to me. Either one is creating a new session, in which case one is not reinitializing the existing session, or one isn't, in which case pam_open_session should not be called. The primary purpose of PAM_REINITIALIZE_CRED is to support screensavers and similar programs that need to refresh the credentials of an existing PAM session managed by some other program. That said, although that's an (IMO) nonsensical PAM call sequence, I'm surprised that it results in the PAM tokens being deleted in an unexpected way, so it may be something I can fix with additional details about exactly what tokens are being unexpectedly deleted. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
