> -----Original Message----- > From: Kok, Auke-jan H [mailto:[email protected]] > Sent: Thursday, January 09, 2014 11:32 AM > To: Schaufler, Casey > Cc: José Bollo; [email protected] > Subject: Re: [Dev] pam module for Smack > > On Thu, Jan 9, 2014 at 9:57 AM, Schaufler, Casey > <[email protected]> wrote: > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of José Bollo > >> Sent: Thursday, January 09, 2014 8:36 AM > >> To: [email protected] > >> Subject: [Dev] pam module for Smack > >> > >> Hi, > >> > >> We are facing problems with the commands 'su' and 'ssh' that don't > >> set the user Smack context. Such a service would naturally be > >> accomplished by PAM the pluggable authentication module that is > >> integrated with well known > >> commands: 'login', 'su', 'ssh' and by other less known as Gnome > >> session manager or weston. > >> > >> Currently, the context is set by systemd. I would like to know if > >> there is a reason that explains that systemd doesn't use login+pam to > >> achieve that behaviour? > > > > The reason is that systemd (currently) creates the user session without a > login process. Going forward that does have to change. The user session is > started in the "User" domain. This results in all of the processes spawned in > the user session to be in the "User" domain. That's very clean. > > > >> I'm thinking that a pam_smack module would be the most integrated way > >> of doing the thing. Why would it be wrong to think that? Ideas? > > > > A pam_smack module would be a fine thing, and has been on the Smack > todo list since 2008. > > > >> I've looked at what have to be done for making a pam_smack module and > >> it make me believe that it is really easy to achieve. > > > > Excellent! I would be delighted to see details on how you'd like to handle > determining what Smack label to assign the session. I had envisioned a > /etc/smack/users file that lists what labels a user can use and which is used > if > none is specified. You could also base it on the label of the user's home > directory. > > why not just: > > session required pam_smack.so label=User
Or to be even more pragmatic how about launching the sshd service in the User domain and teaching people how to change their Smack label once they have a shell? (hint: # echo label > /proc/self/attr/current). > > but, if you're going to make a config file, *please* put it in /etc/security > where the pam configs should be.... > > Auke _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
