Delete creds after closing the PAM session.

author Todd C. Miller <Todd.Miller@courtesan.com>

Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)

committer Todd C. Miller <Todd.Miller@courtesan.com>

Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)
author Todd C. Miller <Todd.Miller@courtesan.com>
Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)
committer Todd C. Miller <Todd.Miller@courtesan.com>
Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c

index 0de9af2127fc001fd5f3c888fa6eb016260de7e1..aa5cf07369b5ca6185cd889e6c82bc0744261f83 100644 (file)
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -271,14 +271,15 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
      debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
  
      if (pamh != NULL) {
-#ifndef NO_PAM_SESSION
         /*
          * Update PAM_USER to reference the user we are running the command
-        * as to match the call to pam_open_session().
+        * as, as opposed to the user we authenticated as.
          */
         (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+#ifndef NO_PAM_SESSION
         (void) pam_close_session(pamh, PAM_SILENT);
  #endif
+       (void) pam_setcred(pamh, PAM_DELETE_CRED);
         status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
         pamh = NULL;
      }
author	Todd C. Miller <Todd.Miller@courtesan.com>
	Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)
committer	Todd C. Miller <Todd.Miller@courtesan.com>
	Mon, 23 Apr 2012 20:11:49 +0000 (16:11 -0400)