Skip to content

Fix PAM session termination in child process to support deferred pam_cap operations #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wngtk wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix PAM session termination in child process to support deferred pam_cap operations #414

wngtk wants to merge 1 commit into from

Conversation

@wngtk
Copy link

@wngtk wngtk commented Aug 27, 2025

The pam_cap.so module with the defer option fails to apply capabilities correctly when logging in through LightDM. While the configuration works with text-based login (as fixed in shadow-maint/shadow#408), LightDM doesn't properly terminate the PAM session in the child process, preventing deferred capability assignment from taking effect during graphical login sessions.

Example Configuration:

# /etc/pam.d/lightdm
auth       optional     pam_cap.so keepcaps defer

Background:

  • Without defer: pam_cap sets capabilities through pam_setcred()
  • With defer: pam_cap relies on pam_end() to finalize capability assignment

Comparison with GDM:

Works correctly with pam_cap because it properly calls pam_setcred() after setuid(). This correct behavior means the defer option is ​​not required​​ for GDM to function with pam_cap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wngtk