enable CONFIG_AUDIT_LOGINUID_IMMUTABLE on F17
Eric Paris
eparis at redhat.com
Thu Feb 9 19:32:00 UTC 2012
In F17 I'd like to see CONFIG_AUDIT_LOGINUID_IMMUTABLE turned on.
In the old days when an admin restarted a service they actually did the
restart themselves. Thus the new daemon would be attributed to the
loginuid of the admin. If this daemon was ssh, when a new user logged
in we needed a method to 'switch' the loginuid so the audit trail was
associated with this new user, not the admin who started sshd.
With the advent of systemd admins do not directly launch daemons and
instead init launches it on their behalf. With this option set sshd
will not need to 'switch' its loginuid, instead it will 'set' it for the
first time. Even after a restart. This couldn't work under sysvinit or
upstart, but since Fedora has removed almost all init scripts, noone can
be using sysvinit or upstart any more!
With this enabled we will break people directly launching login
utilities instead of going through init. However it will allow us to
remove some permissions from applications (CAP_AUDIT_CONTROL) since
setting the loginuid will no longer be a privileged operation and will
greatly increase the reliability of audit logs to be able to attest to
what user performed what operation.
-Eric
More information about the kernel
mailing list