#7: [PATCH] Allow changing of passwords in containers lacking CAP_AUDIT_WRITE
--------------------+-------------------------------
Reporter: lennart | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Resolution:
Keywords: | Blocked By:
Blocking: |
--------------------+-------------------------------
Comment (by kukuk):
Replying to [comment:3 lennart]:
Umm, no. This is about running a second Fedora instance on another
Fedora instance inside a Linux container (i.e. something built from Linux
namespaces, cgroups and dropped capabilities). Since we don't want that
the second instance's auditing messages pollute the audit logs of the host
(since they make little sense outside the context of the container), we
turn off CAP_AUDIT_WRITE for the container. This works mostly fine except
that the audit stuff in PAM then chokes on this and in the ill belief it
was always in the possession of all capabilities refuses logins and
password changes.
But your patch makes it possible to change the password even on the host
system without audit log, and this is an absolute no-go.
The only solution I see here currently is that the container has it's own
auditing.
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/7#comment:4>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project