Package: libpam-afs-session
Version: 2.5-4
When sudo's pam_setcred option is true (which it is by default in jessie
but not in previous releases; e.g. neither wheezy nor Ubuntu trusty are
affected by this problem out of the box), running sudo will result in the
loss of AFS tokens. These are destroyed by pam_afs_session on exit from the
sudo session. Adding
Defaults !pam_setcred
to /etc/sudoers is sufficient to cause the AFS tokens to survive (as desired).
Here is an extract from auth.log when pam_afs_session is called with debug on:
sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: entry (0x8)
sudo: pam_afs_session(sudo:setcred): running /usr/bin/aklog as UID 0
sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: exit (success)
sudo: pam_unix(sudo:session): session opened for user root by user(uid=0)
sudo: pam_afs_session(sudo:session): pam_sm_open_session: entry (0x0)
sudo: pam_afs_session(sudo:session): skipping, apparently already ran
sudo: pam_afs_session(sudo:session): pam_sm_open_session: exit (success)
sudo: pam_unix(sudo:session): session closed for user root
sudo: pam_afs_session(sudo:session): pam_sm_close_session: entry (0x8000)
sudo: pam_afs_session(sudo:session): destroying tokens
sudo: pam_afs_session(sudo:session): pam_sm_close_session: exit (success)
sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: entry (0x8004)
sudo: pam_afs_session(sudo:setcred): destroying tokens
sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: exit (success)
The above is with the default setting (pam_setcred). With !pam_setcred I get:
sudo: pam_unix(sudo:session): session opened for user root by user(uid=0)
sudo: pam_afs_session(sudo:session): pam_sm_open_session: entry (0x0)
sudo: pam_afs_session(sudo:session): running /usr/bin/aklog as UID 0
sudo: pam_afs_session(sudo:session): pam_sm_open_session: exit (success)
sudo: pam_unix(sudo:session): session closed for user root
sudo: pam_afs_session(sudo:session): pam_sm_close_session: entry (0x8000)
sudo: pam_afs_session(sudo:session): destroying tokens
sudo: pam_afs_session(sudo:session): pam_sm_close_session: exit (success)
which matches what I see with older versions of sudo.
The problem seems to be caused by sudo's use of the PAM_REINITIALIZE_CRED flag,
which causes pam_sm_setcred() to not create a new PAG.
I'm not quite sure how to apportion blame (between sudo and pam_afs_session)
nor how best to fix the issue; but others have been puzzled by this change
of behavior before (it was discussed on openafs-info some time ago) so it
should at least be documented (perhaps in the release notes for jessie?)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
