From: Calvin Owens <calvinowens@fb.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>,
rgb@redhat.com, ebiederm@xmission.com,
linux-kernel@vger.kernel.org, kernel-team@fb.com,
stable@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init namespaces"
Date: Fri, 9 Jan 2015 13:24:51 -0800 [thread overview]
Message-ID: <20150109212451.GG27996@mail.thefacebook.com> (raw)
In-Reply-To: <1569326.X07DWxmoQX@sifl>
On Friday 01/09 at 15:33 -0500, Paul Moore wrote:
> On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote:
> > This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
> >
> > This commit incorrectly assumes that libpam treats -ECONNREFUSED as
> > an indicator that audit is disabled, and -EPERM or any other error
> > as a fatal error that prevents the login from continuing.
> >
> > The opposite is in fact true: -EPERM allows the login to continue,
> > and -ECONNREFUSED causes it to refuse the login. This behavior has
> > been unchanged in upstream linux-pam since at least 2008.
> >
> > Reverting this change allows libpam to again work as expected in
> > non-init user namespaces.
> >
> > Signed-off-by: Calvin Owens <calvinowens@fb.com>
> > Cc: stable@vger.kernel.org
> > ---
> > Relevant code in linux-pam:
> > https://urldefense.proofpoint.com/v1/url?u=https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c%23n56&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=oEb120Cp%2FehdhuY2M7qjelK5yT8IPB5WC2nEG4obDh4%3D%0A&m=vyJMOR0vSvoBryKRT8mBRsUpUQElUD3Fa4ZBI5Vaf%2BA%3D%0A&s=4f34b8ee3ea296b034ab84da1d7f0b738cd431081878afd6f85203507a722ebe
> >
> > kernel/audit.c | 12 +-----------
> > 1 file changed, 1 insertion(+), 11 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 80983df..656e8ce 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type) int err = 0;
> >
> > /* Only support initial user namespace for now. */
> > - /*
> > - * We return ECONNREFUSED because it tricks userspace into thinking
> > - * that audit was not configured into the kernel. Lots of users
> > - * configure their PAM stack (because that's what the distro does)
> > - * to reject login if unable to send messages to audit. If we return
> > - * ECONNREFUSED the PAM stack thinks the kernel does not have audit
> > - * configured in and will let login proceed. If we return EPERM
> > - * userspace will reject all logins. This should be removed when we
> > - * support non init namespaces!!
> > - */
> > if (current_user_ns() != &init_user_ns)
> > - return -ECONNREFUSED;
> > + return -EPERM;
>
> While I haven't had reason to test this code lately, last I knew it was
> working, what problems are you seeing Calvin? Also, with what distribution?
An SSH authentication setup in LXC containers on CentOS broke with the
original patch. My revert made it work again. I can dig up more detail
about the specific setup if you're interested.
Thanks,
Calvin
> --
> paul moore
> www.paul-moore.com
>
WARNING: multiple messages have this Message-ID (diff)
From: Calvin Owens <calvinowens@fb.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>, <rgb@redhat.com>,
<ebiederm@xmission.com>, <linux-kernel@vger.kernel.org>,
<kernel-team@fb.com>, <stable@vger.kernel.org>,
<linux-audit@redhat.com>
Subject: Re: [PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init namespaces"
Date: Fri, 9 Jan 2015 13:24:51 -0800 [thread overview]
Message-ID: <20150109212451.GG27996@mail.thefacebook.com> (raw)
In-Reply-To: <1569326.X07DWxmoQX@sifl>
On Friday 01/09 at 15:33 -0500, Paul Moore wrote:
> On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote:
> > This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
> >
> > This commit incorrectly assumes that libpam treats -ECONNREFUSED as
> > an indicator that audit is disabled, and -EPERM or any other error
> > as a fatal error that prevents the login from continuing.
> >
> > The opposite is in fact true: -EPERM allows the login to continue,
> > and -ECONNREFUSED causes it to refuse the login. This behavior has
> > been unchanged in upstream linux-pam since at least 2008.
> >
> > Reverting this change allows libpam to again work as expected in
> > non-init user namespaces.
> >
> > Signed-off-by: Calvin Owens <calvinowens@fb.com>
> > Cc: stable@vger.kernel.org
> > ---
> > Relevant code in linux-pam:
> > https://urldefense.proofpoint.com/v1/url?u=https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c%23n56&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=oEb120Cp%2FehdhuY2M7qjelK5yT8IPB5WC2nEG4obDh4%3D%0A&m=vyJMOR0vSvoBryKRT8mBRsUpUQElUD3Fa4ZBI5Vaf%2BA%3D%0A&s=4f34b8ee3ea296b034ab84da1d7f0b738cd431081878afd6f85203507a722ebe
> >
> > kernel/audit.c | 12 +-----------
> > 1 file changed, 1 insertion(+), 11 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 80983df..656e8ce 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type) int err = 0;
> >
> > /* Only support initial user namespace for now. */
> > - /*
> > - * We return ECONNREFUSED because it tricks userspace into thinking
> > - * that audit was not configured into the kernel. Lots of users
> > - * configure their PAM stack (because that's what the distro does)
> > - * to reject login if unable to send messages to audit. If we return
> > - * ECONNREFUSED the PAM stack thinks the kernel does not have audit
> > - * configured in and will let login proceed. If we return EPERM
> > - * userspace will reject all logins. This should be removed when we
> > - * support non init namespaces!!
> > - */
> > if (current_user_ns() != &init_user_ns)
> > - return -ECONNREFUSED;
> > + return -EPERM;
>
> While I haven't had reason to test this code lately, last I knew it was
> working, what problems are you seeing Calvin? Also, with what distribution?
An SSH authentication setup in LXC containers on CentOS broke with the
original patch. My revert made it work again. I can dig up more detail
about the specific setup if you're interested.
Thanks,
Calvin
> --
> paul moore
> www.paul-moore.com
>
next prev parent reply other threads:[~2015-01-09 21:24 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-05 0:46 [PATCH] Revert "AUDIT: Allow login in non-init namespaces" Calvin Owens
2014-11-18 20:32 ` [PATCH][RESEND] " Calvin Owens
2015-01-09 1:44 ` [PATCH][RESEND 2] " Calvin Owens
2015-01-09 1:44 ` Calvin Owens
2015-01-09 20:33 ` Paul Moore
2015-01-09 21:24 ` Calvin Owens [this message]
2015-01-09 21:24 ` Calvin Owens
2015-01-09 21:36 ` Paul Moore
2015-01-15 5:20 ` Calvin Owens
2015-01-15 5:20 ` Calvin Owens
2015-01-13 15:36 ` Richard Guy Briggs
2015-01-13 16:21 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150109212451.GG27996@mail.thefacebook.com \
--to=calvinowens@fb.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=kernel-team@fb.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.