Comment 91 for bug 1197395

As I understand it, the pam_loginuid is for auditing to tag a process with "original logger's UID from the authentication entry point". In the case of su, only the superusers don't have to authenticate themselves, so the purpose of the "thou shalt not pam_loginuid from su" is not really clear for me.

Whatever was meant for pam_loginuid, the bottom line is that if someone gets root rights they can do anything - also save a password for some account, change this password, log in remotely as that account (it's an entry point, so the account becomes the "original logger"), do something bad or good, then log off, and change the password back.

In the end, I propose pam_systemd should get the UID for the new user some other way and set the environment accordingly. This would let the discussion of whether (or when) su should run pam_loginuid be resolved by philosophers.

PS. I was about to bump this in a couple of days as to not look too aggressive about it. I'm still waiting for this to be resolved. Even though I grew accustomed to it, entering "export XDG_RUNTIME_DIR=/run/user/*" every time I login to a remote machine to do anything that is connected with FreeDesktop specifications is really bothersome (especially that more and more is relying on those standards, which by itself is for the better).