please enable CONFIG_AUDIT_LOGINUID_IMMUTABLE
Michal Schmidt
mschmidt at redhat.com
Tue Feb 19 12:10:41 UTC 2013
On 02/18/2013 08:59 PM, Josh Boyer wrote:
> On Mon, Feb 18, 2013 at 02:36:04PM -0500, Eric Paris wrote:
>> On Mon, 2013-02-18 at 14:28 -0500, Josh Boyer wrote:
>>> On Mon, Feb 18, 2013 at 01:42:09PM -0500, Eric Paris wrote:
>>>> What breaks is admin running
>>>>
>>>> /usr/sbin/sshd -D
>>>>
>>>> or
>>>>
>>>> /usr/sbin/crond -n
>>>>
>>>> unless they redo their stock pam config...
>>>
>>> And there's no way we can fix the stock pam config so they don't have to
>>> do that?
>
> Do you happen to have an example of how to modify the pam config to let
> people still do this? If so, could you send it here?
/etc/pam.d/sshd has:
session required pam_loginuid.so
They could replace 'required' with 'optional'. But then they need to be
aware of the consequences: The loginuid of all users logged in via ssh
would be the same as the loginuid of the administrator who started sshd
from his shell.
In my view we should not assist the administrators doing that. They
should learn to start services in a clean environment (i.e. by systemd).
Michal
More information about the kernel
mailing list