I think the placement of the pam_keyinit.so in the pam files is incorrect?
Jeremy Katz
katzj at redhat.com
Thu Dec 6 21:33:32 UTC 2007
On Thu, 2007-12-06 at 16:22 -0500, Nalin Dahyabhai wrote:
> On Fri, Dec 07, 2007 at 02:16:40AM +0530, Tom spot Callaway wrote:
> > On Thu, 2007-12-06 at 13:39 -0500, Simo Sorce wrote:
> > > I have the feeling that it is somehow wrong to give sudo that power.
> > > For su I am still uncertain, but given that su does not authenticate
> > > the
> > > final user but only the super user I again wonder if that should give
> > > any access to the kernel keyring.
> >
> > Maybe this is is an ignorant question, but wouldn't you want this for
> > loading/unloading kernel modules via su -c / sudo? Thanks to the nature
> > of iwl3945 and similar drivers, I have been known to execute commands
> > like:
> >
> > $ sudo /sbin/modprobe -r iwl3945
> > $ sudo /sbin/modprobe iwl3945
> >
> > I'd think that having proper access to the kernel keyring for ops like
> > that would be ideal, if not necessary. I'm also concerned about when we
> > start making sudo/su not act like the root user, with all rights and
> > permissions, because really, that is the purpose of sudo / su, and one
> > of the reasons that those commands require either root's credentials to
> > use (su / sudo) and/or specific permission (sudoers).
>
> Here's another maybe-ignorant question. The iwl3945 module reads
> credentials from the kernel keyring of the user/process that loads it?
> If so, what sort of credentials is it expecting to find there?
The module doesn't read any credentials from the keyring. I think spot
is delirious from jet lag ;-)
Jeremy
More information about the fedora-devel-list
mailing list