Re: Setting loginuid

[Casey Schaufler <casey@xxxxxxxxxxxxxxxx>]

--- Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote:

> On Tue, 2005-02-15 at 11:27, Casey Schaufler wrote:
> > Some programs that use PAM, including su, are
> > not login sessions and hence must not set the
> > loginuid.
> 
> That can be handled by not including the pam_audit
> or pam_loginuid
> (whatever it is called) module in the pam
> configuration for su (i.e.
> /etc/pam.d/su).  It doesn't necessarily requiring
> patching the
> individual programs; it just means that you have to
> insert individual
> pam_audit entries in desired program-specific pam
> configuration files
> rather than just putting it in the generic
> system-auth one.

You're correct. It would be possible to do su
correctly using the PAM scheme. It would also be
simple^H^H^H^H^H^H possible to configure the system
incorrectly. There is never a case where you want
the wrong behavior. It is better to hard code
correctness that to make correct behavior a
configuration option.

And that does not address cron.


=====
Casey Schaufler
casey@xxxxxxxxxxxxxxxx


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.