PrivateDevices breaks pam_unix, for some reason. Remove this
protection. We still have DevicePolicy closed and running as non-root,
so this should still be relatively safe.i
If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.
Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
It's tricky. On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability. Unfortunately this is one of the nicest capabilities to have.
For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.
If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.
Short of that, having a separate authentication process
running and dropping privilege would potentially work.
systemd's default stop seems to be incapable of understanding
how to shut down our service. Provide an explicit ExecStop
to have systemd act more sanely.
