On Thu, Jan 9, 2014 at 9:57 AM, Schaufler, Casey <[email protected]> wrote: >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of José Bollo >> Sent: Thursday, January 09, 2014 8:36 AM >> To: [email protected] >> Subject: [Dev] pam module for Smack >> >> Hi, >> >> We are facing problems with the commands 'su' and 'ssh' that don't set the >> user Smack context. Such a service would naturally be accomplished by PAM >> the pluggable authentication module that is integrated with well known >> commands: 'login', 'su', 'ssh' and by other less known as Gnome session >> manager or weston. >> >> Currently, the context is set by systemd. I would like to know if there is a >> reason that explains that systemd doesn't use login+pam to achieve that >> behaviour? > > The reason is that systemd (currently) creates the user session without a > login process. Going forward that does have to change. The user session is > started in the "User" domain. This results in all of the processes spawned in > the user session to be in the "User" domain. That's very clean. > >> I'm thinking that a pam_smack module would be the most integrated way of >> doing the thing. Why would it be wrong to think that? Ideas? > > A pam_smack module would be a fine thing, and has been on the Smack todo list > since 2008. > >> I've looked at what have to be done for making a pam_smack module and it >> make me believe that it is really easy to achieve. > > Excellent! I would be delighted to see details on how you'd like to handle > determining what Smack label to assign the session. I had envisioned a > /etc/smack/users file that lists what labels a user can use and which is used > if none is specified. You could also base it on the label of the user's home > directory.
why not just: session required pam_smack.so label=User but, if you're going to make a config file, *please* put it in /etc/security where the pam configs should be.... Auke _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
