diff options
author | Lennart Poettering <lennart@poettering.net> | 2023-02-22 18:43:45 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-02-28 21:42:29 +0100 |
commit | a1012609f3a1dfc7512caaf78c2b90bcd311a52c (patch) | |
tree | ca341c1388aab1fb17e0183908b467959ad40872 /NEWS | |
parent | d7fce219aedfea378dcbc04c68b41d22d31ffae5 (diff) | |
download | systemd-a1012609f3a1dfc7512caaf78c2b90bcd311a52c.tar.gz |
update NEWS
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -1,5 +1,23 @@ systemd System and Service Manager +CHANGES WITH 254 in spe: + + Security relevant changes: + + * pam_systemd will now by default pass the CAP_WAKE_ALARM ambient + process capability to invoked session processes of regular users on + local seats (as well as to systemd --user), unless configured + otherwise via data from JSON user records, or via the PAM module's + parameter list. This is useful in order allow desktop tools such as + GNOME's Alarm Clock application to set a timer for + CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A + per-user service unit file may thus use AmbientCapability= to pass + the capability to invoked processes. Note that this capability is + relatively narrow in focus (in particular compared to other process + capabilities such as CAP_SYS_ADMIN) and we already — by default — + permit more impactful operations such as system suspend to local + users. + CHANGES WITH 253: Announcements of Future Feature Removals and Incompatible Changes: |