Incorrect check in pam

All of lore.kernel.org
 help / color / mirror / Atom feed

* Incorrect check in pam_rootok
@ 2015-08-12 13:58 Christopher J. PeBenito
  2015-08-12 15:06 ` Tomas Mraz
  0 siblings, 1 reply; 2+ messages in thread
From: Christopher J. PeBenito @ 2015-08-12 13:58 UTC (permalink / raw)
  To: tmraz; +Cc: SELinux@tycho.nsa.gov

Working an issue here, we uncovered that PAM is checking the wrong
SELinux permission in the pam_rootok module; it checks the passwd
permission instead of the rootok permission.  This issue was reported
earlier this year[1] but no action has been taken.

This has been around since early 2013, when the code was changed from
the old checkPasswdAccess() to selinux_check_access(), but an impact to
users would be rare since most domains that have the rootok permission
also have the passwd permission.

[1] https://fedorahosted.org/linux-pam/ticket/37

diff --git a/modules/pam_rootok/pam_rootok.c
b/modules/pam_rootok/pam_rootok.c
index 70579e5..88bed0c 100644
--- a/modules/pam_rootok/pam_rootok.c
+++ b/modules/pam_rootok/pam_rootok.c
@@ -106,7 +106,7 @@ selinux_check_root (void)
        return status;
     }

-    status = selinux_check_access(user_context, user_context, "passwd",
"passwd", NULL);
+    status = selinux_check_access(user_context, user_context, "passwd",
"rootok", NULL);

     selinux_set_callback(SELINUX_CB_LOG, old_callback);
     freecon(user_context);

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: Incorrect check in pam_rootok
  2015-08-12 13:58 Incorrect check in pam_rootok Christopher J. PeBenito
@ 2015-08-12 15:06 ` Tomas Mraz
  0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2015-08-12 15:06 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SELinux@tycho.nsa.gov

On St, 2015-08-12 at 09:58 -0400, Christopher J. PeBenito wrote:
> Working an issue here, we uncovered that PAM is checking the wrong
> SELinux permission in the pam_rootok module; it checks the passwd
> permission instead of the rootok permission.  This issue was reported
> earlier this year[1] but no action has been taken.
> 
> This has been around since early 2013, when the code was changed from
> the old checkPasswdAccess() to selinux_check_access(), but an impact to
> users would be rare since most domains that have the rootok permission
> also have the passwd permission.
> 
> [1] https://fedorahosted.org/linux-pam/ticket/37
> 
> diff --git a/modules/pam_rootok/pam_rootok.c
> b/modules/pam_rootok/pam_rootok.c
> index 70579e5..88bed0c 100644
> --- a/modules/pam_rootok/pam_rootok.c
> +++ b/modules/pam_rootok/pam_rootok.c
> @@ -106,7 +106,7 @@ selinux_check_root (void)
>         return status;
>      }
> 
> -    status = selinux_check_access(user_context, user_context, "passwd",
> "passwd", NULL);
> +    status = selinux_check_access(user_context, user_context, "passwd",
> "rootok", NULL);
> 
>      selinux_set_callback(SELINUX_CB_LOG, old_callback);
>      freecon(user_context);
> 

Thank you for the heads-up. I committed the fix into the upstream git
master branch.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-08-12 15:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-12 13:58 Incorrect check in pam_rootok Christopher J. PeBenito
2015-08-12 15:06 ` Tomas Mraz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.