From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 23 Apr 2012 20:11:49 +0000 (-0400)
Subject: Delete creds after closing the PAM session.
X-Git-Tag: SUDO_1_8_5~1^2~31
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cf4562c031dde2a8418253c8c24ce4fefa540c7b;p=sudo

Delete creds after closing the PAM session.
---

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 0de9af212..aa5cf0736 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -271,14 +271,15 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
     debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
 
     if (pamh != NULL) {
-#ifndef NO_PAM_SESSION
 	/*
 	 * Update PAM_USER to reference the user we are running the command
-	 * as to match the call to pam_open_session().
+	 * as, as opposed to the user we authenticated as.
 	 */
 	(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+#ifndef NO_PAM_SESSION
 	(void) pam_close_session(pamh, PAM_SILENT);
 #endif
+	(void) pam_setcred(pamh, PAM_DELETE_CRED);
 	status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
 	pamh = NULL;
     }