question about su and passwd

question about su and passwd

[lky]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Hi, When I change the account with su I found the security context didn't change( the 2 account have different contexts ). Should I use aother command?
Another problem is I couldn't change my passwd under enforced mode.When I login as root and run "passwd" it said I coundn't do that while when I login as another general user and run "passwd" it let me input my Unix passwd but always fail. Who can tell me the reason? I have installed 2.6-based SELinux and the patched utilities on redhat9.0.
Thanks!

[-- Attachment #2: Type: text/html, Size: 926 bytes --]

Re: question about su and passwd

[lky]

On Sunday, October 26, 2003 6:48 AM, Diyab wrote:
> Su will only change your user id not your context.  To change your
> context you have to use newrole and it's best to do that before running
> su.  

Then If I enabled the MLS policy, how can I change my context? Because I think newrole don't support the ranges change. Is there any other way besides to login again if I want to change my account with my context?

> passwd, like most of the other user management tools, requires a
> selinux specific version called spasswd.  There are some file labeling
> issues which the normal passwd program can not handle and that is why
> the modified version was made.  If you search the list archives you can
> find out more information about that.

I can't run the spasswd and some other commands for example suseradd. But I have installed the SELinux-patched daemons and utilities without any error messages. I can use the "ls -Z" and "ps -eZ" commands.
Thanks!



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Diyab]

lky wrote:

> Hi, When I change the account with su I found the security context 
> didn't change( the 2 account have different contexts ). Should I use 
> aother command?
> Another problem is I couldn't change my passwd under enforced mode.When 
> I login as root and run "passwd" it said I coundn't do that while when I 
> login as another general user and run "passwd" it let me input my Unix 
> passwd but always fail. Who can tell me the reason? I have installed 
> 2.6-based SELinux and the patched utilities on redhat9.0.
> Thanks!

Su will only change your user id not your context.  To change your
context you have to use newrole and it's best to do that before running
su.  passwd, like most of the other user management tools, requires a
selinux specific version called spasswd.  There are some file labeling
issues which the normal passwd program can not handle and that is why
the modified version was made.  If you search the list archives you can
find out more information about that.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Stephen Smalley]

On Fri, 2003-10-24 at 17:20, lky wrote:
> Hi, When I change the account with su I found the security context
> didn't change( the 2 account have different contexts ). Should I use
> aother command?

Since 'su' is most frequently used simply to obtain privileges (aka
capabilities) for administrative tasks by becoming the Linux superuser,
it seems undesirable to also change the SELinux user identity, as
SELinux can represent such changes via role/domain changes while
preserving user accountability.  newrole supports changing roles within
a session, and domain transitions within a role can occur upon executing
an associated entrypoint program.  The SELinux user identity is
presently only set by programs such as login, sshd, and gdm.  Do you
truly need to switch the actual user identity during a session?

> Another problem is I couldn't change my passwd under enforced
> mode.When I login as root and run "passwd" it said I coundn't do that
>  while when I login as another general user and run "passwd" it let me
> input my Unix passwd but always fail. Who can tell me the reason? I
> have installed 2.6-based SELinux and the patched utilities on
> redhat9.0.

We need to know more detail in order to diagnose, e.g. what exactly did
passwd display, and what denials were logged to /var/log/messages when
you ran it?  Note that there are two possible levels of denial for
passwd:
- The passwd program performs a permission check when the password for a
user other than the current SELinux user identity would be changed, e.g.
you ran passwd after doing a 'su' so that your SELinux user identity
no longer matches your Linux uid or you ran passwd with a username
argument other than your own.  This is to prevent someone with the
Linux root uid from being able to change the passwords of other users
unless they are also in an authorized role/domain.
- The kernel performs permission checks for the various kernel
operations invoked by the passwd program, e.g. invoking cracklib
to check the strength of the passwd, accessing the cracklib database,
updating /etc/shadow, etc.  The policy or file contexts configurations
may need to be adjusted to grant the appropriate permissions or set
the appropriate file types.  Is crack.te enabled?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Russell Coker]

On Tue, 28 Oct 2003 01:52, Stephen Smalley wrote:
> On Fri, 2003-10-24 at 17:20, lky wrote:
> > Hi, When I change the account with su I found the security context
> > didn't change( the 2 account have different contexts ). Should I use
> > aother command?
>
> Since 'su' is most frequently used simply to obtain privileges (aka
> capabilities) for administrative tasks by becoming the Linux superuser,
> it seems undesirable to also change the SELinux user identity, as

My interpretation of lky's message was that they wanted to change role/domain 
not SE Linux identity.  Although now you mention this, the original message 
was unclear.  Lky, please clarify what you desire.

I agree with Steve that changing the SE Linux identity is not desirable, IMHO 
the only supported way of changing identity should be to logout and login 
again.

> SELinux can represent such changes via role/domain changes while
> preserving user accountability.  newrole supports changing roles within
> a session, and domain transitions within a role can occur upon executing

If lky desires to change role as well as UID that still provides some issues.  
Changing UID via "su" and changing role via newrole require different 
passwords as they are checking different things.  Doing both in the same 
operation does not seem to be possible.

However doing this through sudo is possible as sudo already has configuration 
options for specifying which UID transitions are permitted and which 
passwords should be used.  I recall that someone (Dan?) posted a sudo patch 
to do this sort of thing.

There is only one case that I can think of where such things are really 
needed, that is for logging in to an account with a non-root UID and staff_r, 
and then wanting to change to UID==0 and sysadm_r.  Maybe a special-case 
program for this operation would be a better solution?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Stephen Smalley]

On Sat, 2003-10-25 at 18:48, Diyab wrote:
> passwd, like most of the other user management tools, requires a
> selinux specific version called spasswd.  There are some file labeling
> issues which the normal passwd program can not handle and that is why
> the modified version was made.  If you search the list archives you can
> find out more information about that.

The spasswd wrappers were replaced with direct patches to the base
programs by Dan Walsh when the code was ported to the new SELinux API.
This allows the files to be directly created in the right context and
eliminates the window where the passwd file is in a more restrictive
context than necessary.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[lky]

On Monday, October 27, 2003 11:01 PM, Russell Coker wrote:
> My interpretation of lky's message was that they wanted to change role/domain 
> not SE Linux identity.  Although now you mention this, the original message 
> was unclear.  Lky, please clarify what you desire.

Yes, that's my meaning. But thanks Steve too for clarifying about newrole.

> There is only one case that I can think of where such things are really 
> needed, that is for logging in to an account with a non-root UID and staff_r, 
> and then wanting to change to UID==0 and sysadm_r.  Maybe a special-case 
> program for this operation would be a better solution?

That's just what I want. I am too lazy to logout and login again:)
Thanks!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[lky]

On Monday, October 27, 2003 10:52 PM,Stephen Smalley wrote:
> - The kernel performs permission checks for the various kernel
> operations invoked by the passwd program, e.g. invoking cracklib
> to check the strength of the passwd, accessing the cracklib database,
> updating /etc/shadow, etc.  The policy or file contexts configurations
> may need to be adjusted to grant the appropriate permissions or set
> the appropriate file types.  Is crack.te enabled?

Sorry,I didn't enable crack.te.Now I can use passwd.Thanks a lot!

> - The passwd program performs a permission check when the password for a
> user other than the current SELinux user identity would be changed, e.g.
> you ran passwd after doing a 'su' so that your SELinux user identity
> no longer matches your Linux uid or you ran passwd with a username
> argument other than your own.  This is to prevent someone with the
> Linux root uid from being able to change the passwords of other users
> unless they are also in an authorized role/domain.

But in enfoced mode I can still run passwd after doing a 'su' . For example,I just login as root and then run 'su tom'(tom is a common user).Next I can run passwd and change the password of tom. And I can change other users' password after login as root.I shouldn't do that,right? But it happened.why?
Thanks!
lky


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Stephen Smalley]

On Mon, 2003-10-27 at 13:26, lky wrote:
> On Monday, October 27, 2003 10:52 PM,Stephen Smalley wrote:
> > - The kernel performs permission checks for the various kernel
> > operations invoked by the passwd program, e.g. invoking cracklib
> > to check the strength of the passwd, accessing the cracklib database,
> > updating /etc/shadow, etc.  The policy or file contexts configurations
> > may need to be adjusted to grant the appropriate permissions or set
> > the appropriate file types.  Is crack.te enabled?
> 
> Sorry,I didn't enable crack.te.Now I can use passwd.Thanks a lot!

I think that this is actually a "bug" in the policy, as you want the
crack database correctly typed for pam_cracklib even if you aren't
running the crack program itself.  I suspect we want the type definition
and file contexts entries for the cracklib enabled even if crack.te is
not.

> > - The passwd program performs a permission check when the password for a
> > user other than the current SELinux user identity would be changed, e.g.
> > you ran passwd after doing a 'su' so that your SELinux user identity
> > no longer matches your Linux uid or you ran passwd with a username
> > argument other than your own.  This is to prevent someone with the
> > Linux root uid from being able to change the passwords of other users
> > unless they are also in an authorized role/domain.
> 
> But in enfoced mode I can still run passwd after doing a 'su' . For example,
> I just login as root and then run 'su tom'(tom is a common user).Next I can 
> run passwd and change the password of tom. And I can change other users' 
> password after login as root.I shouldn't do that,right? But it happened.why?

That's ok as long as you were in sysadm_r:sysadm_t prior to running
passwd, as the policy grants that domain the permission to change other
users' passwords.  We aren't trying to prevent a legitimate
administrator from changing other users' passwords.  We are trying to
prevent arbitrary uid 0 processes in other domains from doing that, e.g.
try the same thing as root from user_r:user_t or staff_r:staff_t or any
daemon domain.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about su and passwd

[Diyab]

Stephen Smalley wrote:

> On Sat, 2003-10-25 at 18:48, Diyab wrote:
> 
>>passwd, like most of the other user management tools, requires a
>>selinux specific version called spasswd.  There are some file labeling
>>issues which the normal passwd program can not handle and that is why
>>the modified version was made.  If you search the list archives you can
>>find out more information about that.
> 
> 
> The spasswd wrappers were replaced with direct patches to the base
> programs by Dan Walsh when the code was ported to the new SELinux API.
> This allows the files to be directly created in the right context and
> eliminates the window where the passwd file is in a more restrictive
> context than necessary.
> 

Ah, my apoligies.  I have not had the opportunity to upgrade to the 
newer releases yet and I was not aware of the change.  Thanks for 
pointing this out Stephen.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.