I think the placement of the pam_keyinit.so in the pam files is incorrect?

[Nalin Dahyabhai]

On Fri, Dec 07, 2007 at 02:16:40AM +0530, Tom spot Callaway wrote:
> On Thu, 2007-12-06 at 13:39 -0500, Simo Sorce wrote:
> > I have the feeling that it is somehow wrong to give sudo that power.
> > For su I am still uncertain, but given that su does not authenticate
> > the
> > final user but only the super user I again wonder if that should give
> > any access to the kernel keyring.
> 
> Maybe this is is an ignorant question, but wouldn't you want this for
> loading/unloading kernel modules via su -c / sudo? Thanks to the nature
> of iwl3945 and similar drivers, I have been known to execute commands
> like:
> 
> $ sudo /sbin/modprobe -r iwl3945
> $ sudo /sbin/modprobe iwl3945
> 
> I'd think that having proper access to the kernel keyring for ops like
> that would be ideal, if not necessary. I'm also concerned about when we
> start making sudo/su not act like the root user, with all rights and
> permissions, because really, that is the purpose of sudo / su, and one
> of the reasons that those commands require either root's credentials to
> use (su / sudo) and/or specific permission (sudoers).

Here's another maybe-ignorant question.  The iwl3945 module reads
credentials from the kernel keyring of the user/process that loads it?
If so, what sort of credentials is it expecting to find there?

I don't have a system with one of these, and a quick web search isn't
laying it out for me, so a pointer to the right docs would be enough of
an answer.

Cheers,

Nalin