On gio, 2014-01-09 at 17:57 +0000, Schaufler, Casey wrote: > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of José Bollo > > Sent: Thursday, January 09, 2014 8:36 AM > > To: [email protected] > > Subject: [Dev] pam module for Smack > > > > Hi, > > > > We are facing problems with the commands 'su' and 'ssh' that don't set the > > user Smack context. Such a service would naturally be accomplished by PAM > > the pluggable authentication module that is integrated with well known > > commands: 'login', 'su', 'ssh' and by other less known as Gnome session > > manager or weston. > > > > Currently, the context is set by systemd. I would like to know if there is a > > reason that explains that systemd doesn't use login+pam to achieve that > > behaviour? > > The reason is that systemd (currently) creates the user session > without a login process. Going forward that does have to change. > The user session is started in the "User" domain. > This results in all of the processes spawned in the user session > to be in the "User" domain. That's very clean.
I'm sorry to not understand the exact meaning of "Going forward that does have to change". English isn't my native language. Does it mean that it have to change, ie, systemd should use login? > > I'm thinking that a pam_smack module would be the most integrated way of > > doing the thing. Why would it be wrong to think that? Ideas? > > A pam_smack module would be a fine thing, and has been on the Smack todo list > since 2008. > > > > > I've looked at what have to be done for making a pam_smack module and it > > make me believe that it is really easy to achieve. > > Excellent! I would be delighted to see details on how you'd like > to handle determining what Smack label to assign the session. Yes that's THE point. > I had envisioned a /etc/smack/users file that lists what labels > a user can use and which is used if none is specified. > You could also base it on the label of the user's home directory. The idea of taking by default the label of the home directory is pleasing to me. But it echoes an other thread about smack and adding user. The useradd internals have to be checked. That's sure. Best regards José _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
