• Eric Paris's avatar
    audit: only allow tasks to set their loginuid if it is -1 · 633b4545
    Eric Paris authored
    At the moment we allow tasks to set their loginuid if they have
    CAP_AUDIT_CONTROL.  In reality we want tasks to set the loginuid when they
    log in and it be impossible to ever reset.  We had to make it mutable even
    after it was once set (with the CAP) because on update and admin might have
    to restart sshd.  Now sshd would get his loginuid and the next user which
    logged in using ssh would not be able to set his loginuid.
    
    Systemd has changed how userspace works and allowed us to make the kernel
    work the way it should.  With systemd users (even admins) are not supposed
    to restart services directly.  The system will restart the service for
    them.  Thus since systemd is going to loginuid==-1, sshd would get -1, and
    sshd would be allowed to set a new loginuid without special permissions.
    
    If an admin in this system were to manually start an sshd he is inserting
    himself into the system chain of trust and thus, logically, it's his
    loginuid that should be used!  Since we have old systems I make this a
    Kconfig option.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    633b4545
Kconfig 45.8 KB