From cf4562c031dde2a8418253c8c24ce4fefa540c7b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 23 Apr 2012 16:11:49 -0400
Subject: [PATCH] Delete creds after closing the PAM session.

---
 plugins/sudoers/auth/pam.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 0de9af212..aa5cf0736 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -271,14 +271,15 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
     debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
 
     if (pamh != NULL) {
-#ifndef NO_PAM_SESSION
 	/*
 	 * Update PAM_USER to reference the user we are running the command
-	 * as to match the call to pam_open_session().
+	 * as, as opposed to the user we authenticated as.
 	 */
 	(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+#ifndef NO_PAM_SESSION
 	(void) pam_close_session(pamh, PAM_SILENT);
 #endif
+	(void) pam_setcred(pamh, PAM_DELETE_CRED);
 	status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
 	pamh = NULL;
     }
-- 
2.40.0