> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of José Bollo > Sent: Friday, January 10, 2014 7:39 AM > To: [email protected] > Subject: Re: [Dev] pam module for Smack > > On gio, 2014-01-09 at 17:57 +0000, Schaufler, Casey wrote: > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of José Bollo > > > Sent: Thursday, January 09, 2014 8:36 AM > > > To: [email protected] > > > Subject: [Dev] pam module for Smack > > > > > > Hi, > > > > > > We are facing problems with the commands 'su' and 'ssh' that don't > > > set the user Smack context. Such a service would naturally be > > > accomplished by PAM the pluggable authentication module that is > > > integrated with well known > > > commands: 'login', 'su', 'ssh' and by other less known as Gnome > > > session manager or weston. > > > > > > Currently, the context is set by systemd. I would like to know if > > > there is a reason that explains that systemd doesn't use login+pam > > > to achieve that behaviour? > > > > The reason is that systemd (currently) creates the user session > > without a login process. Going forward that does have to change. > > The user session is started in the "User" domain. > > This results in all of the processes spawned in the user session to > > be in the "User" domain. That's very clean. > > I'm sorry to not understand the exact meaning of "Going forward that does > have to change". English isn't my native language. Does it mean that it have > to change, ie, systemd should use login?
Multi-user support is being developed. In order to identify and authenticate which user to create a session for something will have to happen before the user session is launched. In today's images a session for the user "app" is started without going through a login process. That will have to change. > > > > I'm thinking that a pam_smack module would be the most integrated > > > way of doing the thing. Why would it be wrong to think that? Ideas? > > > > A pam_smack module would be a fine thing, and has been on the Smack > todo list since 2008. > > > > > > > > I've looked at what have to be done for making a pam_smack module > > > and it make me believe that it is really easy to achieve. > > > > Excellent! I would be delighted to see details on how you'd like to > > handle determining what Smack label to assign the session. > > Yes that's THE point. > > > I had envisioned a /etc/smack/users file that lists what labels a > > user can use and which is used if none is specified. > > You could also base it on the label of the user's home directory. > > The idea of taking by default the label of the home directory is pleasing to > me. But it echoes an other thread about smack and adding user. > > The useradd internals have to be checked. That's sure. > > Best regards > José > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
