Add some debugging info for the pam_cap.so deferred callback.

As with the other D(()) entries in the pam_cap.so module, this
is enabled if the /* #define PAM_DEBUG */ comment is uncommented
at the top of the pam_cap.so file.

I tried this on a sample app and it didn't actually follow the
documentation:

http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end

where no pam_end() call was made to terminate the fork()ed copy of the pamh
value. That app needs to be fixed.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

1 files changed, 18 insertions, 0 deletions

diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index 2538b35..7e8cade 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -196,6 +196,24 @@ static void iab_apply(pam_handle_t *pamh, void *data, int error_status)
     cap_iab_t iab = data;
     int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT);
 
+#ifdef PAM_DEBUG
+    {
+	cap_t c = cap_get_proc();
+	cap_iab_t tu = cap_iab_get_proc();
+	char *tc, *ttu;
+	tc = cap_to_text(c, NULL);
+	ttu = cap_iab_to_text(tu);
+
+	D(("iab_apply with uid=%d,euid=%d and error_status=0x%08x \"%s\", [%s]",
+	   getuid(), geteuid(), error_status, tc, ttu));
+
+	cap_free(ttu);
+	cap_free(tc);
+	cap_free(tu);
+	cap_free(c);
+    }
+#endif
+
     data = NULL;
     if (error_status & PAM_DATA_REPLACE) {
 	goto done;