From: Sam Hartman <hartmans@debian.org>
Date: Mon, 11 Sep 2023 14:00:42 -0600
Subject: handle the case of flags being empty or only PAM_SILENT, which is

documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
---
 modules/pam_group/pam_group.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index 21c04d7..7d89dd0 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -772,9 +772,12 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
     unsigned setting;
 
     /* only interested in establishing credentials */
+    /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
+       Some people just pass PAM_SILENT, so cope with it, too. */
 
     setting = flags;
-    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
+    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
+        && (setting != 0) && (setting != PAM_SILENT)) {
 	D(("ignoring call - not for establishing credentials"));
 	return PAM_SUCCESS;            /* don't fail because of this */
     }