pam-afs-session 2.6

I no longer use this PAM module, since I don't use AFS any more, and it's actually orphaned. But there was a bug report against the Debian package that was actually a PAM issue, not an AFS issue, so I went ahead and fixed that.

The bug was that running sudo when you had the AFS PAM module enabled would delete your tokens. This was because sudo calls pam_setcred and pam_open_session in a somewhat strange way, leading the PAM module to think that sudo was taking ownership of the token but without putting the user in a new PAG. Then, when sudo closed its PAM session, the module would erroneously delete the token.

The fix is to not set the flag to skip subsequent open_session and close_session handling when called with PAM_REINITIALIZE_CRED or PAM_REFRESH_CRED. This preserves correct session handling behavior and avoids this issue.

Also with this release, I finally rewrote the test suite to use my generic PAM test suite code, and got rid of a bunch of old, legacy testing code. I lost one test for which the new test framework doesn't have enough hooks, but it wasn't particularly important, and the new code is much cleaner and more data-driven.

There are also a few other, accumulated fixes, such as a compilation fix on Solaris 11, and a significant modernization of all of my common support libraries. (The last official release was in 2011!)

You can get the latest version from the pam-afs-session distribution page.

Posted: 2015-09-19 12:07 — Why no comments?

Last modified and spun 2015-09-22