* Incorrect check in pam_rootok
@ 2015-08-12 13:58 Christopher J. PeBenito
2015-08-12 15:06 ` Tomas Mraz
0 siblings, 1 reply; 2+ messages in thread
From: Christopher J. PeBenito @ 2015-08-12 13:58 UTC (permalink / raw)
To: tmraz; +Cc: SELinux@tycho.nsa.gov
Working an issue here, we uncovered that PAM is checking the wrong
SELinux permission in the pam_rootok module; it checks the passwd
permission instead of the rootok permission. This issue was reported
earlier this year[1] but no action has been taken.
This has been around since early 2013, when the code was changed from
the old checkPasswdAccess() to selinux_check_access(), but an impact to
users would be rare since most domains that have the rootok permission
also have the passwd permission.
[1] https://fedorahosted.org/linux-pam/ticket/37
diff --git a/modules/pam_rootok/pam_rootok.c
b/modules/pam_rootok/pam_rootok.c
index 70579e5..88bed0c 100644
--- a/modules/pam_rootok/pam_rootok.c
+++ b/modules/pam_rootok/pam_rootok.c
@@ -106,7 +106,7 @@ selinux_check_root (void)
return status;
}
- status = selinux_check_access(user_context, user_context, "passwd",
"passwd", NULL);
+ status = selinux_check_access(user_context, user_context, "passwd",
"rootok", NULL);
selinux_set_callback(SELINUX_CB_LOG, old_callback);
freecon(user_context);
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: Incorrect check in pam_rootok
2015-08-12 13:58 Incorrect check in pam_rootok Christopher J. PeBenito
@ 2015-08-12 15:06 ` Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2015-08-12 15:06 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux@tycho.nsa.gov
On St, 2015-08-12 at 09:58 -0400, Christopher J. PeBenito wrote:
> Working an issue here, we uncovered that PAM is checking the wrong
> SELinux permission in the pam_rootok module; it checks the passwd
> permission instead of the rootok permission. This issue was reported
> earlier this year[1] but no action has been taken.
>
> This has been around since early 2013, when the code was changed from
> the old checkPasswdAccess() to selinux_check_access(), but an impact to
> users would be rare since most domains that have the rootok permission
> also have the passwd permission.
>
> [1] https://fedorahosted.org/linux-pam/ticket/37
>
> diff --git a/modules/pam_rootok/pam_rootok.c
> b/modules/pam_rootok/pam_rootok.c
> index 70579e5..88bed0c 100644
> --- a/modules/pam_rootok/pam_rootok.c
> +++ b/modules/pam_rootok/pam_rootok.c
> @@ -106,7 +106,7 @@ selinux_check_root (void)
> return status;
> }
>
> - status = selinux_check_access(user_context, user_context, "passwd",
> "passwd", NULL);
> + status = selinux_check_access(user_context, user_context, "passwd",
> "rootok", NULL);
>
> selinux_set_callback(SELINUX_CB_LOG, old_callback);
> freecon(user_context);
>
Thank you for the heads-up. I committed the fix into the upstream git
master branch.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-08-12 15:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-12 13:58 Incorrect check in pam_rootok Christopher J. PeBenito
2015-08-12 15:06 ` Tomas Mraz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.