MAN: Document that PAM stack contains the systemd-user service in the account phase in recent distributions #4912

sssd-bot · 2020-05-02T13:55:36Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3932

Created at 2019-01-28 21:20:12 by jhrozek
Closed at 2019-08-18 23:15:14 as Fixed
Assigned to jhrozek
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1669407

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1669407

some distributions, like RHEL-8 add a new systemd-user service that is called by the systemd user session and includes system-auth. This means that the access control rules must also include the systemd-user service or else authentication fails.

We should probably document this at least for the purely client-side access control schemas like authorizedService. GPOs already include systemd-user as permit-by-default and IPA had changed its defaults to include this service as well.

Comments

Comment from jhrozek at 2019-01-28 21:20:13

Metadata Update from @jhrozek:

Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1669407

Comment from abbra at 2019-01-29 08:14:57

I would prefer if SSSD would always allowed systemd-user access in HBAC rules. We are going to remove a special HBAC rule for systemd-user because there is no variability in that one, it has simply to be allowed always.

Comment from jhrozek at 2019-01-29 08:44:25

OK, adding a 'special rule' if fine with me (I would just open a separate ticket). I'd also like to get your opinion on two things:

do you feel we should also add a 'subfilter' for the systemd-user service for e.g. the authorizedServices LDAP attribute? Here I would personally say no, the LDAP filters are too 'low-level' and free-form in my opinion that I think we should not presume anything and just let admin configure them
do you think this should be a RHEL-8.0 fix? IIRC you planned to fix systemd-user for 8.0, did that change?

Comment from abbra at 2019-01-29 12:34:29

I don't think (1) is needed to be done, indeed. I'd rather allow admins to have full control there.

For (2) -- it affects Fedora 29+ and RHEL 8 post-beta. We fixed RHEL 8 post-beta but I think now we want to remove that fix and also revert it upstream and instead rely on a fixed SSSD. The problem with an explicit HBAC rule is that it makes little sense for something which is a system-specific property which is pretty much not configurable. pam_systemd always launches systemd --user and the exact PAM service name is hardcoded in systemd source code:

src/login/pam_systemd.c:        if (streq_ptr(service, "systemd-user")) {

So I would consider this as a distribution specific detail as all systemd-based distributions will have it and the only difference is whether pam_systemd is included with required or optional line in PAM configuration, either forcing a failure or pampering over it.

Comment from jhrozek at 2019-01-29 12:44:00

OK, I'll open another ticket. Thanks for the opinions.

Comment from jhrozek at 2019-01-29 12:45:25

Issue #3933 created.

Comment from jhrozek at 2019-02-27 16:49:02

Metadata Update from @jhrozek: