From 6938bab42953510f8774a9ffb8f5db6692bd4504 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Fischer?= <bf@CeBiTec.Uni-Bielefeld.DE>
Date: Wed, 8 Sep 2021 15:03:36 +0200
Subject: [PATCH] Call pam_end() after fork in child code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This conforms to PAM documentation and it is needed to support
ambient capabilities with PAM + libcap-2.58+.

Signed-off-by: Björn Fischer <bf@CeBiTec.Uni-Bielefeld.DE>
---
 src/login.c | 1 +
 src/su.c    | 9 +++------
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/login.c b/src/login.c
index 7ec2401e..5fbbc614 100644
--- a/src/login.c
+++ b/src/login.c
@@ -1288,6 +1288,7 @@ int main (int argc, char **argv)
 			env++;
 		}
 	}
+	(void) pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
 #endif
 
 	(void) setlocale (LC_ALL, "");
diff --git a/src/su.c b/src/su.c
index 04011afa..55ca80d2 100644
--- a/src/su.c
+++ b/src/su.c
@@ -1156,12 +1156,9 @@ int main (int argc, char **argv)
 		}
 	}
 
-	/*
-	 * PAM_DATA_SILENT is not supported by some modules, and
-	 * there is no strong need to clean up the process space's
-	 * memory since we will either call exec or exit.
-	pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
-	 */
+#ifdef USE_PAM
+	(void) pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+#endif
 
 	endpwent ();
 	endspent ();