On Mon, 2013-02-18 at 14:28 -0500, Josh Boyer wrote: > On Mon, Feb 18, 2013 at 01:42:09PM -0500, Eric Paris wrote: > > On Mon, 2013-02-18 at 13:38 -0500, Tom Callaway wrote: > > > On 02/18/2013 01:32 PM, Eric Paris wrote: > > > > On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote: > > > >> On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote: > > > >>> Hello Fedora kernel maintainers, > > > >>> > > > >>> please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19. > > > >>> > > > >>> It brings a security benefit and should be safe to turn on since > > > >>> we're using systemd to start services. > > > >> > > > >> Refresh my memory please. Are we using systemd to start 100% of the > > > >> services provided in Fedora? I seem to recall there are still a number > > > >> of packages not using/providing systemd unit files. Would enabling this > > > >> cause them to get weird EPERM errors? > > > >> > > > >> Is there a simple thing to check for aside from EPERM if issues from > > > >> this do pop up? > > > > > > > > Daemons with a config requiring pam_lognuid.so will be unable to work if > > > > they are launched by a logged in admin as opposed to systemd. Obvious > > > > work around is to change the pam config. > > > > > > > > Login daemons launched by sysinit at boot will work. > > > > Login daemons launched by systemd will work. > > > > > > > > Login daemons launched by sysint from a logged in admin will fail. > > > > > > Assuming that systemd launching an "old" sysvinit script will work, this > > > should be safe. I do not believe Fedora contains any other viable init > > > mechanisms anymore (upstart is gone, sysvinit is a husk). > > > > What breaks is admin running > > > > /usr/sbin/sshd -D > > > > or > > > > /usr/sbin/crond -n > > > > unless they redo their stock pam config... > > And there's no way we can fix the stock pam config so they don't have to > do that? > > A more pointed question is, when people complain this stops working and > the R word starts getting thrown around, can I point them at you and > Michal? Sure, throw em at me :) -Eric _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel