Michal Koutný <mkou...@suse.com> writes: > Hello Dominick. > > On Tue, Jul 22, 2025 at 09:42:59AM +0200, Dominick Grift > <dominick.gr...@defensec.nl> wrote: >> >> From what I understand the sd-pam process is responsible for "PAM >> close" but it cannot do its job properly if it does not have privileges. > > AFAICS, sd-pam should drop privs to User= of the service.
That is the current behavior indeed but it breaks the functionality because then PAM lacks privileges that it might need to do its job. I have a very specific example of that but for now I prefer to keep it simple. > >> should sd-pam always run as root? > > Which service's sd-pam do you refer to? > What's your systemd version? 257. Service is irrelevant, but for example user@UID.service. The main issue is that I believe that sd-pam should always run as root because if it does not as root then it may lack permissions to do what it needs to do. I believe I have a way to produce that issue. To be clear: 1. currently sd-pam does not always run as root 2. when sd-pam does not run as root then it lacks permission needed to do its job for some pam modules > > Thanks, > Michal > -- gpg --locate-keys dominick.gr...@defensec.nl (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcini...@defensec.nl
