Comment 12 for bug 234727

On my system I can confirm the pam_mount link (encrypted dir), as sudo -u works fine for a normal user (no enc. directory), just not for me (with enc. directory). However: I've just run:
# ltrace sudo -u david ls
the last part is:

[cut]
setregid(-1, 1877, 2, 0xbfbba668, 0x806e2b0) = 0
vasprintf(0xbfbba658, 0x8058dd4, 0xbfbba618, 2, 0xb7f62190) = 58
strlen("david") = 5
strlen("TTY=pts/2 ; PWD=/home/david ; US"...) = 58
openlog("sudo", 0, 80) = <void>
vsnprintf(" david : TTY=pts/2 ; PWD=/home"..., 961, "%8s : %s", 0xbfbba5e8) = 69
syslog(5, "%s", " david : TTY=pts/2 ; PWD=/home"...) = <void>
closelog() = <void>
strlen("david") = 5
free(0x806e998) = <void>
umask(022) = 022
pam_start(0x8060406, 0x8069b14, 0x806426c, 0x8064278, 1) = 0
pam_set_item(0x806e9d8, 3, 0x8067f58, 0x8064278, 1) = 0
pam_set_item(0x806e9d8, 2, 0x8069b14, 1, 0xb7e1e85c) = 0
pam_set_item(0x806e9d8, 8, 0x806e964, 1, 0xb7e1e85c) = 0
pam_set_item(0x806e9d8, 4, 0x8067eb8, 1, 0xb7e1e85c) = 0
pam_setcred(0x806e9d8, 2, 0x8067eb8, 1, 0xb7e1e85c) = 0
pam_open_session(0x806e9d8, 0, 0x8067eb8, 1, 0xb7e1e85c <unfinished ...>
malloc(8) = 0x807d080
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
Now, what I see here is that there's a free() on a region that's then sent to pam_set_item, pam_setcred, and pam_open_session.

I'd guess this is a good place to look!
David