On Thu, 2012-02-09 at 14:32 -0500, Eric Paris wrote: > With this enabled we will break people directly launching login > utilities instead of going through init. However it will allow us to > remove some permissions from applications (CAP_AUDIT_CONTROL) since > setting the loginuid will no longer be a privileged operation and will > greatly increase the reliability of audit logs to be able to attest to > what user performed what operation. Launching by hand can be made to work by changing your pam config to switch pam_loginuid.so to be 'optional' instead of 'required.' It also means that the admin who started the service will be attributed to everything someone who logs in did. but those are the knocks if you do weird stuff like launch your own sshd inside a chroot.... _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
