Timothée Ravier

> I have done accidentally raised the PR from my work account, while I have committed the changes using my personal account. Let me know if you'd like me to...

Indeed. Another option would be to have rpm-ostree try to raise its soft limit to match the hard limit by default.

https://src.fedoraproject.org/rpms/setroubleshoot/pull-request/29 > Initial set of fixes

I'm suspecting that the `%triggerrun chown` call is the source of this issue. The systemd-sysusers change is mostly a NOP but made to align the package with the Fedora policy....

One suggestion from https://github.com/fedora-silverblue/issue-tracker/issues/272#issuecomment-1173091215 would be to add special client side "secret" handling that would bind mount some files into places during client side composes to share secrets. Another option...

I mistakenly filed this in the FCOS tracker as I originally wanted to file it in the rpm-ostree tracker. Not sure this is meeting worthy.

> This feels like it'd be more flexible as an allowlist, like: > > ``` > setuid: > - /usr/bin/sudo > - /usr/bin/su > ``` Indeed, this would definitely make...

So a more concrete example / use case for this feature: Creating a SetUID/SetGID less setup for rpm-ostree based systems. Instead of using sudo, the user could setup its sshd...

Those are indeed also good ideas. I vaguely remember trying to do things like that a while ago but never really found a nice setup. One would also have to...

~~https://github.com/rpm-software-management/rpm/pull/1867 > This one might enable us to do what we need here.~~ Edit: Apparently it's not enough as we will be missing the execution context.