Comment 6 for bug 1787548

@Joe I just noticed that the proposed fix breaks the ability to do a simple 'su - <USER>' where <USER> is not root or the current user and the current user is unprivileged:

$ su - fs
Password:
su: System error

Here's the debug logging from pam_fscrypt:

pam_fscrypt[5468]: Authenticate()
pam_fscrypt[5468]: keyringID(_uid.1001) = 834965334, <nil>
pam_fscrypt[5468]: KeyctlLink(834965334, -2) = <nil>
pam_fscrypt[5468]: keyringID(session) = 132871448, <nil>
pam_fscrypt[5468]: KeyctlSearch(132871448, keyring, _uid.1001) = -1, required key not available
pam_fscrypt[5468]: Setting up keyrings in PAM: user keyring not linked into session keyring
pam_fscrypt[5468]: Setting euid=1001 egid=1001 groups=[1001]
pam_fscrypt[5468]: pam func failed: setting egid: operation not permitted

In the comand above, UID 1000 is invoking su and attempting to change UID 1001.

The debug logging doesn't mention what the original euid, egid, and supplementary groups are when the pam_fscrypt Authenticate() function is first entered but I suspect that the euid is the is that of the original user invoking su (1000). The process doesn't have sufficient privs to switch to egid 1001, Authenicate() returns an error, and the whole thing fails. I'm not certain but maybe the correct thing to do in this case is return PAM_IGNORE rather than PAM_SERVICE_ERR.