Sam Morris via FreeIPA-users wrote:
> Why is 'sudo -i' an own service at all? Why isn't
this covered by the 'sudo' service?
There are situations where you want some PAM modules to run only for
'interactive' sessions. On Debian, /etc/pam.d/sudo contains
"@common-session-noninteractive".
To see what practical difference this makes, run 'diff -u
/etc/pam.d/common-session{,-noninteractive}'. On my system I see that pam_sss,
pam_systemd and pam_mkhomedir are missing from noninteractive sessions, other systems may
vary.
Exactly this. HBAC services == PAM services. You are free to group HBAC
services and assign permissions by group if you'd prefer. In fact, IPA
ships with a sudo HBAC service group containing sudo and sudo-i
rob