root and change of passwords

root and change of passwords

[DeadManMoving]

Hi,

i've recently find a bug in the implementation of SELinux in gentoo
(http://bugs.gentoo.org/show_bug.cgi?id=76701) and debian (well, at
least with md5 and shadow password enabled) that let root change other
users passwords even when he's not in sysadm_r:sysadm_t context.

I've then contacted the gentoo hardened team and told them about it.
They've asked me to fill a bug report and told me it was surely a
problem with pam and the SELinux patch for pam.

Willing to try to fix the problem by myself, i've made an ebuild for pam
with the latest SRPM of fedora pam implementation. That did not solve
the problem.

So i went back to the gentoo hardened team and told them my experience
with the fedora pam implementation. They then told me they were now
thinking the problem was with the passwd program from the shadow suite.

That was making a lot of sense since fedora do not use the passwd
program from the shadow suite but instead use the passwd suite (passwd
package and libuser package) from red hat.

Still willing to fix that, i've given the red hat passwd suite a try on
my gentoo installation and yes! it works quite well!

I say quite well (and here's my question) cause i see that root is still
able to change his own password even not in the sysadm_r:sysadm_t
context. Is that a desired behavior? Would that be easy to implement and
more secure if root could only change his own password when in the
sysadm_r:sysadm_t context?

Thanks a lot for your time,

Tony Lapointe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: root and change of passwords

[Stephen Smalley]

On Fri, 2005-01-07 at 14:09, DeadManMoving wrote:
> i've recently find a bug in the implementation of SELinux in gentoo
> Still willing to fix that, i've given the red hat passwd suite a try on
> my gentoo installation and yes! it works quite well!
> 
> I say quite well (and here's my question) cause i see that root is still
> able to change his own password even not in the sysadm_r:sysadm_t
> context. Is that a desired behavior? Would that be easy to implement and
> more secure if root could only change his own password when in the
> sysadm_r:sysadm_t context?

Dan Walsh implemented the modifications to passwd in Fedora, so I've
cc'd him.  Those modifications were similar (but not identical) in
functionality to earlier wrappers for passwd and similar programs used
in the pre-Fedora upstream SELinux.  IIRC, the Fedora passwd program
obtains the caller's security context, extracts the user identity from
it, and checks a SELinux permission if attempting to change the passwd
information for a user other than the caller.  Note that the user
identity in the security context can only be set by processes allowed to
do so by SELinux policy and is not necessarily the same as the Linux
uid, so a rogue uid 0 process cannot arbitrarily assume the SELinux user
identity of "root".  Fedora also includes similar checking elsewhere,
e.g. pam_rootok, libuser, etc.

Hence, gaining uid 0 is not sufficient by itself to use passwd to change
root's password - you must also obtain the SELinux user identity of root
or have appropriate permission in the SELinux policy.

Whether or not passwd should require root to be in sysadm_r to change
his own password is another question.  If root is starting in user_r,
then he is already exposed to other user_t processes, so requiring him
to newrole to sysadm_r first isn't going to help.  root (and other
administrative users) should typically only run in staff_r or sysadm_r,
not user_r, as they are otherwise exposed to tampering/interference by
user_t processes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: root and change of passwords

[Christopher J. PeBenito]

On Tue, 2005-01-11 at 08:59 -0500, Stephen Smalley wrote:
> On Fri, 2005-01-07 at 14:09, DeadManMoving wrote:
> > i've recently find a bug in the implementation of SELinux in gentoo
> > Still willing to fix that, i've given the red hat passwd suite a try on
> > my gentoo installation and yes! it works quite well!
> 
> IIRC, the Fedora passwd program obtains the caller's security context,
> extracts the user identity from it, and checks a SELinux permission if
> attempting to change the passwd information for a user other than the
> caller.  Note that the user identity in the security context can only
> be set by processes allowed to do so by SELinux policy and is not
> necessarily the same as the Linux uid, so a rogue uid 0 process cannot
> arbitrarily assume the SELinux user identity of "root".

I was writing up a patch for shadow's version of passwd, chfn, and chsh,
when I noticed that chage doesn't have a check.  Is chage not included
in Fedora, or was it determined that it didn't need a check?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: root and change of passwords

[Stephen Smalley]

On Tue, 2005-01-11 at 10:10, Christopher J. PeBenito wrote:
> I was writing up a patch for shadow's version of passwd, chfn, and chsh,
> when I noticed that chage doesn't have a check.  Is chage not included
> in Fedora, or was it determined that it didn't need a check?

Fedora CVS tree includes a separate SELinux patch for chage in the
shadow-utils directory.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: root and change of passwords

[Daniel J Walsh]

Christopher J. PeBenito wrote:

>On Tue, 2005-01-11 at 08:59 -0500, Stephen Smalley wrote:
>  
>
>>On Fri, 2005-01-07 at 14:09, DeadManMoving wrote:
>>    
>>
>>>i've recently find a bug in the implementation of SELinux in gentoo
>>>Still willing to fix that, i've given the red hat passwd suite a try on
>>>my gentoo installation and yes! it works quite well!
>>>      
>>>
>>IIRC, the Fedora passwd program obtains the caller's security context,
>>extracts the user identity from it, and checks a SELinux permission if
>>attempting to change the passwd information for a user other than the
>>caller.  Note that the user identity in the security context can only
>>be set by processes allowed to do so by SELinux policy and is not
>>necessarily the same as the Linux uid, so a rogue uid 0 process cannot
>>arbitrarily assume the SELinux user identity of "root".
>>    
>>
>
>I was writing up a patch for shadow's version of passwd, chfn, and chsh,
>when I noticed that chage doesn't have a check.  Is chage not included
>in Fedora, or was it determined that it didn't need a check?
>
>  
>
chage comes from shadow-utils in Fedora/RHEL

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: root and change of passwords

[Stephen Smalley]

On Tue, 2005-01-11 at 08:59, Stephen Smalley wrote:
> Hence, gaining uid 0 is not sufficient by itself to use passwd to change
> root's password - you must also obtain the SELinux user identity of root
> or have appropriate permission in the SELinux policy.
> 
> Whether or not passwd should require root to be in sysadm_r to change
> his own password is another question.  If root is starting in user_r,
> then he is already exposed to other user_t processes, so requiring him
> to newrole to sysadm_r first isn't going to help.  root (and other
> administrative users) should typically only run in staff_r or sysadm_r,
> not user_r, as they are otherwise exposed to tampering/interference by
> user_t processes.

The other item to note here is that even if you have both uid 0 and the
SELinux user identity of "root", you still can't run the passwd program
with the necessary privileges to modify /etc/shadow unless your domain
can transition to passwd_t.  That would be true of the user domains, but
not for a number of daemon domains.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.