#7: [PATCH] Allow changing of passwords in containers lacking CAP_AUDIT_WRITE
--------------------+-------------------------------
Reporter: lennart | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Resolution:
Keywords: | Blocked By:
Blocking: |
--------------------+-------------------------------
Comment (by lennart):
Replying to [comment:4 kukuk]:
Replying to [comment:3 lennart]:
> Umm, no. This is about running a second Fedora instance on another
Fedora
instance inside a Linux container (i.e. something built from Linux
namespaces, cgroups and dropped capabilities). Since we don't want that
the second instance's auditing messages pollute the audit logs of the host
(since they make little sense outside the context of the container), we
turn off CAP_AUDIT_WRITE for the container. This works mostly fine except
that the audit stuff in PAM then chokes on this and in the ill belief it
was always in the possession of all capabilities refuses logins and
password changes.
But your patch makes it possible to change the password even on the host
system
without audit log, and this is an absolute no-go.
Hmm? That's not true. We still check for EPERM here, which is about access
control not about "audit not available".
The only solution I see here currently is that the container has
it's
own auditing.
This is not supported on Linux, and is not even desirable in many cases
where the host shall do auditing but the container shouldn't. Forcing the
container to use auditing just because the host uses it is very
suboptimal, since containers are intended to be lightweight. I mean, if I
run a 1000 containers on a server with an Apache in each, then I am quite
sure I want to avoid running a 1000 auditds for that. But since I rent
these 1000 auditds to customers who can do with it what they want I also
don't want those logs show up in the main audit logs, and generate noise.
And honestly, a setup like I just described is probably going to be the
common use case for containers, not the exception.
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/7#comment:5>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project