Ohai, On Thu, Nov 13, 2014 at 10:39:35AM +0000, Simon McVittie wrote:
> I cannot reproduce this bug on a (somewhat outdated) jessie system with > sysvinit. I would like some more information from the people who are > affected by it: > > * Are you using a non-Debian kernel? > * Does your kernel have AUDIT_LOGINUID_IMMUTABLE set in its configuration? > * What init system are you using? (sysvinit? systemd? Upstart? something > else?) I can reproduce this bug on a Debian Jessie system with LXC 2.0 (from Stretch). Host: jessie with systemd as pid1, lxc and lxcfs from stretch Guest: jessie with sysvinit as pid1 (systemd gives me headaches in containers yet) I think the crucial part here is that I run my containers unprivileged in an user namespace. # cat /proc/self/loginuid 4294967295 same value is returned for the sshd process > Possible workarounds include: > > * Remove pam_loginuid.so from the ssh configuration (confirmed to work, > but it would reopen #677440 and doesn't seem a great idea distro-wide) > * Use a modern init system that starts system services via IPC to pid 1, > i.e. systemd or Upstart > - The restarted openssh-server has loginuid -1 > - The transition from -1 to 4321 succeeds > - Everything's fine > * Use a Debian kernel without AUDIT_LOGINUID_IMMUTABLE (?) > * Drop pam_loginuid.so from required to optional in the ssh configuration (?) There are PAM patches at [1][2][3], maybe they just need backporting to Jessie? Greets Evgeni [1] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=5825450540e6620ac331c64345b42fdcbb1d6e87 [2] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf [3] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=2e62d5aea3f5ac267cfa54f0ea1f8c07ac85a95a
