I initially preferred your option two, a drop-in file in whichever nis
and ldap binary packages, on principle of trying to keep the mitigations
in place if we can.
But your case for a difficult debugging session is persuasive. Reading
the various bug reports around this, option three seems pretty bad --
none of those symptoms would make me think of changing a systemd hardening
configuration on a service I might not know I am running. Nothing really
looked obviously related to network-based id services. Trying to provide
documentation around that won't be very discoverable.
Ubuntu is supposed to be easy.
So, option one: removing the restrictions for systemd-logind in our
package.
It would be nice if our implementation of option one would make it very
easy to re-add the hardening setting; which we could then document in a
hardening guide.
I initially preferred your option two, a drop-in file in whichever nis
and ldap binary packages, on principle of trying to keep the mitigations
in place if we can.
But your case for a difficult debugging session is persuasive. Reading
the various bug reports around this, option three seems pretty bad --
none of those symptoms would make me think of changing a systemd hardening
configuration on a service I might not know I am running. Nothing really
looked obviously related to network-based id services. Trying to provide
documentation around that won't be very discoverable.
Ubuntu is supposed to be easy.
So, option one: removing the restrictions for systemd-logind in our
package.
It would be nice if our implementation of option one would make it very
easy to re-add the hardening setting; which we could then document in a
hardening guide.
Thanks