< Accumulated haul | Russ Allbery > Eagle's Path > September 2015 | INN 2.6.0 > |
I no longer use this PAM module, since I don't use AFS any more, and it's actually orphaned. But there was a bug report against the Debian package that was actually a PAM issue, not an AFS issue, so I went ahead and fixed that.
The bug was that running sudo when you had the AFS PAM module enabled would delete your tokens. This was because sudo calls pam_setcred and pam_open_session in a somewhat strange way, leading the PAM module to think that sudo was taking ownership of the token but without putting the user in a new PAG. Then, when sudo closed its PAM session, the module would erroneously delete the token.
The fix is to not set the flag to skip subsequent open_session and close_session handling when called with PAM_REINITIALIZE_CRED or PAM_REFRESH_CRED. This preserves correct session handling behavior and avoids this issue.
Also with this release, I finally rewrote the test suite to use my generic PAM test suite code, and got rid of a bunch of old, legacy testing code. I lost one test for which the new test framework doesn't have enough hooks, but it wasn't particularly important, and the new code is much cleaner and more data-driven.
There are also a few other, accumulated fixes, such as a compilation fix on Solaris 11, and a significant modernization of all of my common support libraries. (The last official release was in 2011!)
You can get the latest version from the pam-afs-session distribution page.
Posted: 2015-09-19 12:07 — Why no comments?
< Accumulated haul | Russ Allbery > Eagle's Path > September 2015 | INN 2.6.0 > |