Hi All,
In my never ending quest to find new and annoying ways to do everything, I
figured that I'd throw out the new list of fun.
1. Using pkexec makes sudo relatively pointless. Sure, it logs things, but
we now effectively have two sudo subsystems and one can't really have the
rules audited per my last discussion with Steve because JavaScript as a
configuration language is amazing. Not sure what to do about this one but
people should really be watching for it and I don't see any mention of it
in the rules anywhere.
2. Systemd timers can be run in user mode and effectively make all the
restrictions around cron and at pointless from what I can tell. So far, I
can't figure out how to disable user space timers or 'systemctl --user'
calls without completely removing 'pam_systemd' from the stack. No idea
what this would break but it's probably the only solution right now (or
maybe having a group-based jump stack in PAM).
3. There should probably be some sort of check to make sure that
'enable-linger' has not been set for users.
In summary, the SSG simply does not cover any of the new EL7+ capabilities
very well, particularly those that replace traditional services that are
already expected to be controlled. As systemd becomes more of an operating
system and less of service manager, this will only get worse.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --