> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of José Bollo > Sent: Thursday, January 09, 2014 8:36 AM > To: [email protected] > Subject: [Dev] pam module for Smack > > Hi, > > We are facing problems with the commands 'su' and 'ssh' that don't set the > user Smack context. Such a service would naturally be accomplished by PAM > the pluggable authentication module that is integrated with well known > commands: 'login', 'su', 'ssh' and by other less known as Gnome session > manager or weston. > > Currently, the context is set by systemd. I would like to know if there is a > reason that explains that systemd doesn't use login+pam to achieve that > behaviour?
The reason is that systemd (currently) creates the user session without a login process. Going forward that does have to change. The user session is started in the "User" domain. This results in all of the processes spawned in the user session to be in the "User" domain. That's very clean. > I'm thinking that a pam_smack module would be the most integrated way of > doing the thing. Why would it be wrong to think that? Ideas? A pam_smack module would be a fine thing, and has been on the Smack todo list since 2008. > > I've looked at what have to be done for making a pam_smack module and it > make me believe that it is really easy to achieve. Excellent! I would be delighted to see details on how you'd like to handle determining what Smack label to assign the session. I had envisioned a /etc/smack/users file that lists what labels a user can use and which is used if none is specified. You could also base it on the label of the user's home directory. > Best Regards > José Bollo > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
