Current problematic cases with immutable loginuid

[Andreas Hasenack <andreas@canonical.com>]

Hi,

I was reading up on setting loginuid immutable, and was wondering what
are the current known problematic cases.

In general, anything that requires switching a set loginuid to another
value will be blocked:
- sshd started on another port by the logged in user to debug
something, and that debug requires logging in as a different user than
the one who started it up
- container that starts up within the user's session, instead of via
dockerd/containerd, systemd, or some other already-running daemon. I
read a lengthy bug in Redhat's bugzilla about a bad interaction with
systemd's nspawn, where apparently the container is started directly,
and thus inheriting the user's loginuid, instead of being started via
a request to systemd (the daemon)

The manpage mentions "certain kinds of containers", and I assume it's
a reference to nspawn's case above.

Are there other prominent problematic situations that people have
encountered while setting loginuid immutable?

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit