Menu
In order to run ssh daemon service, pam_loginuid entry has to be set to optional in /etc/pam.d/sshd as described in the official example for Ubuntu 13.10.
Was this entry optional for previous versions of Ubuntu? Did it even exist before Ubuntu 13.10?
What does setting pam_loginuid to optional mean, anyway?
Is my ssh configuration much less secure in this respect?
588
pam_loginuid is used to set the loginuid audit attribute of a process when a user logs in through SSH, X, or anything like that. This attribute can then be used by the audit framework for various purposes.
However, setting this audit attributes requires some audit-related capabilities to be enabled; and by default, Docker drops them, so the audit_setloginuid call will fail.
When the PAM module is configured to required, such failures are fatal (and PAM prevents the login from going on); while optional means "go on anyway".
I might be wrong, but I believe that while pam_loginuid is available in previous versions (I tested with 12.04) it wasn't enabled anyway; so that's why 13.10 and higher require this special setting.
198
This investigation is too long for a comment. As @jpetazzo indicated, this problem is likely due to lack of the CAP_AUDIT_WRITE capability. Which apparently affects some versions of Docker and Linux, but not others. So here I'll try to investigate the evolution of this.
AUDIT_WRITE in the list of dropped capabilitiesAUDIT_WRITE in thatAUDIT_WRITE capability to a whitelistoci/defaults_linux.go
So it would seem as though all versions before 0.7.2 and also all versions since 1.2.0 should keep CAP_AUDIT_WRITE. As I'm seeing pam_loginuid-related problems with 1.12.5 there might be some other capability involved here.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
