enable CONFIG_AUDIT_LOGINUID_IMMUTABLE on F17
Steve Grubb
sgrubb at redhat.com
Thu Feb 9 21:05:42 UTC 2012
On Thursday, February 09, 2012 02:32:00 PM Eric Paris wrote:
> With this enabled we will break people directly launching login
> utilities instead of going through init. However it will allow us to
> remove some permissions from applications (CAP_AUDIT_CONTROL) since
> setting the loginuid will no longer be a privileged operation and will
> greatly increase the reliability of audit logs to be able to attest to
> what user performed what operation.
Making the login uid immutable would be nice, but I don't get the part about
removing privileges. Setting the login uid is a privileged operation. It always
has to be that way.
-Steve
More information about the kernel
mailing list