Dominick Grift <dominick.gr...@defensec.nl> writes:
> Michal Koutný <mkou...@suse.com> writes:
>
>> On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift
>> <dominick.gr...@defensec.nl> wrote:
>>> To be clear:
>>>
>>> 1. currently sd-pam does not always run as root
>>
>> Ah, good.
>>
>>> 2. when sd-pam does not run as root then it lacks permission needed to
>>> do its job for some pam modules
>>
>> Such modules are frowned upon
>> https://github.com/systemd/systemd/issues/8598#issuecomment-1883471227
>
> That is the answer I was looking for. It think it is unreasonable for
> systemd to unilateraly decide to break these modules. This could
> introduce security issues. Not to mention that systemd seemingly decides
> its exceptional compared to other login programs.
>
The PAM module I am refering to is pam_selinux. It resets the terminal
context when the session closes. However since the terminal is then
owned by root and sd-pam runs as an unprivileged user it cannot reset
it. Leaving it in a bad state.
pam_close_session.3 states:
It should be noted that the effective uid, geteuid(2). of the
application should be of sufficient privilege to perform such
tasks as unmounting the user's home directory for example.
>>
>> Michal
>>
--
gpg --locate-keys dominick.gr...@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcini...@defensec.nl
