Why is it needed to set `pam_loginuid` to its `optional` value with docker?

Question

In order to run ssh daemon service, pam_loginuid entry has to be set to optional in /etc/pam.d/sshd as described in the official example for Ubuntu 13.10.

Answer 1

pam_loginuid is used to set the loginuid audit attribute of a process when a user logs in through SSH, X, or anything like that. This attribute can then be used by the audit framework for various purposes.

However, setting this audit attributes requires some audit-related capabilities to be enabled; and by default, Docker drops them, so the audit_setloginuid call will fail.

When the PAM module is configured to required, such failures are fatal (and PAM prevents the login from going on); while optional means "go on anyway".

I might be wrong, but I believe that while pam_loginuid is available in previous versions (I tested with 12.04) it wasn't enabled anyway; so that's why 13.10 and higher require this special setting.