|
Description
|
opensolaris.org has a custom PAM module that sets up a chroot environment for access to the source repositories that are hosted there. As described at http://blogs.sun.com/kupfer/entry/unwanted_mounts, we've recently discovered that the session-close routine no longer runs as root, which breaks our PAM module. The blog entry has this comment from Nico:
Actually, when I did the SunSSH resync back in the S10 days I
made sure that pam_close_session() and pam_end() were called
as root, with all privs. That was part of the SunSSH
altprivsep model. However, that was recently broken as a
result of a change to better use the Solaris crypto framework,
and fixing it again will be very hard this time because of
fork-safety issues in PKCS#11 and other things.
|