please enable CONFIG_AUDIT_LOGINUID_IMMUTABLE
Josh Boyer
jwboyer at redhat.com
Tue Feb 19 12:35:51 UTC 2013
On Tue, Feb 19, 2013 at 01:10:41PM +0100, Michal Schmidt wrote:
> On 02/18/2013 08:59 PM, Josh Boyer wrote:
> >On Mon, Feb 18, 2013 at 02:36:04PM -0500, Eric Paris wrote:
> >>On Mon, 2013-02-18 at 14:28 -0500, Josh Boyer wrote:
> >>>On Mon, Feb 18, 2013 at 01:42:09PM -0500, Eric Paris wrote:
> >>>>What breaks is admin running
> >>>>
> >>>>/usr/sbin/sshd -D
> >>>>
> >>>>or
> >>>>
> >>>>/usr/sbin/crond -n
> >>>>
> >>>>unless they redo their stock pam config...
> >>>
> >>>And there's no way we can fix the stock pam config so they don't have to
> >>>do that?
> >
> >Do you happen to have an example of how to modify the pam config to let
> >people still do this? If so, could you send it here?
>
> /etc/pam.d/sshd has:
> session required pam_loginuid.so
>
> They could replace 'required' with 'optional'. But then they need to
> be aware of the consequences: The loginuid of all users logged in
> via ssh would be the same as the loginuid of the administrator who
> started sshd from his shell.
Thanks.
> In my view we should not assist the administrators doing that. They
> should learn to start services in a clean environment (i.e. by
> systemd).
I'm not necessarily disagreeing with you, but not everyone is going to
agree with you regardless of how sane and correct you might be ;).
I'll turn the config on in today's batch of commits.
josh
More information about the kernel
mailing list