On Thu, 2012-02-09 at 14:32 -0500, Eric Paris wrote:
With this enabled we will break people directly launching login
utilities instead of going through init. However it will allow us to
remove some permissions from applications (CAP_AUDIT_CONTROL) since
setting the loginuid will no longer be a privileged operation and will
greatly increase the reliability of audit logs to be able to attest to
what user performed what operation.
Launching by hand can be made to work by changing your pam config to
switch pam_loginuid.so to be 'optional' instead of 'required.' It also
means that the admin who started the service will be attributed to
everything someone who logs in did.
but those are the knocks if you do weird stuff like launch your own sshd
inside a chroot....