Same here, the bug is related to #580434 (su drops privileges before
calling pam_session_close), so it causes the Permission Denied messages.
I made a patch that moves the privilege change code to after the fork
call in the child process (same logic as coreutils and mac os
implementations of su), so the parent process can have privileges to
close the pam session.
--- src/su.c.orig 2010-11-25 21:08:03.594408976 -0430
+++ src/su.c 2010-11-25 21:11:49.904408989 -0430
@@ -231,6 +231,13 @@
child = fork ();
if (child == 0) { /* child shell */
+ /* become the new user */
+ if (change_uid (&pwent) != 0) {
+ pam_close_session (pamh, 0);
+ pam_setcred (pamh, PAM_DELETE_CRED);
+ (void) pam_end (pamh, PAM_ABORT);
+ exit (1);
+ }
/*
* PAM_DATA_SILENT is not supported by some modules, and
* there is no strong need to clean up the process space's
@@ -297,6 +304,8 @@
kill (child, SIGTERM);
}
+ /* Not checking retval on this because we need to call close session */
+ pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
ret = pam_close_session (pamh, 0);
if (PAM_SUCCESS != ret) {
SYSLOG ((LOG_ERR, "pam_close_session: %s",
@@ -910,13 +919,6 @@
}
}
- /* become the new user */
- if (change_uid (&pwent) != 0) {
- pam_close_session (pamh, 0);
- pam_setcred (pamh, PAM_DELETE_CRED);
- (void) pam_end (pamh, PAM_ABORT);
- exit (1);
- }
#else /* !USE_PAM */
environ = newenvp; /* make new environment active */
