I think the placement of the pam_keyinit.so in the pam files is incorrect?

Tom "spot" Callaway tcallawa at redhat.com
Thu Dec 6 20:46:40 UTC 2007


On Thu, 2007-12-06 at 13:39 -0500, Simo Sorce wrote:
> I have the feeling that it is somehow wrong to give sudo that power.
> For su I am still uncertain, but given that su does not authenticate
> the
> final user but only the super user I again wonder if that should give
> any access to the kernel keyring.

Maybe this is is an ignorant question, but wouldn't you want this for
loading/unloading kernel modules via su -c / sudo? Thanks to the nature
of iwl3945 and similar drivers, I have been known to execute commands
like:

$ sudo /sbin/modprobe -r iwl3945
$ sudo /sbin/modprobe iwl3945

I'd think that having proper access to the kernel keyring for ops like
that would be ideal, if not necessary. I'm also concerned about when we
start making sudo/su not act like the root user, with all rights and
permissions, because really, that is the purpose of sudo / su, and one
of the reasons that those commands require either root's credentials to
use (su / sudo) and/or specific permission (sudoers).

~spot




More information about the fedora-devel-list mailing list