On 11/5/25 03:51, Thorsten Kukuk wrote: > Hi, > > All Systems Go! is already long ago, so a status update where I'm are > using a Linux distribution with NoNewPrivs set by default. > > I renamed my "pwaccess" PoC to "account-utils" > (https://github.com/thkukuk/account-utils), which should contain now > the main functionality to replace chage, chfn, chsh, expiry, passwd > and pam_unix.so. I ignored everything around "newgrp" and "gpasswd". > Together with polkit from git I have an openSUSE MicroOS machine > running I can use as a container Host OS for most of my daily work. > So authentication, password management, run0 as su/sudo replacement, > run containers. > Currently I try to get all modified and new packages into MicroOS to > make it easy to enable this feature. > > Next steps: > * auccount-utils is currently under review by our security team > * polkit: SELinux policy needs to get adjusted, WIP > * Wrapper for su to use run0/systemd-run. Has anybody looked at this already? > * Better polkit rules for run0 to be more aligned with sudo behavior. > > Questions for systemd developers: > 1. people are afraid if they see that > "org.freedesktop.systemd1.manage-units" is used for run0, they want to > have the feeling they can apply different rules to who can manage > units and who can use run0. And chance to add > ""org.freedesktop.systemd1.run0"? > 2. Which variables does systemd provide for polkits "action.lookup()"? > I couldn't really find this out. > > Biggest remaining issue: looks like the postfix container really needs > setuid, since the daemon drops it's privileges and depends on setgid > helper :( > > Regards, > Thorsten
I believe most MTAs depend on setuid/setgid binaries for local mail submission. Fixing them would require patches to the them. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
