[Pkg-shadow-devel] Bug#352494: passwd: confusing error message if /proc is not found

Sun Feb 12 18:08:18 UTC 2006

Hello,

On Sun, Feb 12, 2006 at 12:19:22PM +0100, Marc Haber wrote:
> 
> invoking "passwd foo" in a chroot without /proc mounted results in the
> error message "passwd: You may not view or modify password information
> for foo".

This was caused by the call to selinux_check_passwd_access, which failed
(returned -1) on non-SELinux system without /proc.

Russel, can you check the attached patch?
(It can be dropped in the debian/patches directory of the shadow source
package, after adding 493_selinux_no_proc at the end of
debian/patches/series)

Thanks in advance,
-- 
Nekral
-------------- next part --------------
Index: shadow-4.0.14/src/chage.c
===================================================================

--- shadow-4.0.14.orig/src/chage.c	2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/chage.c	2006-02-12 18:20:44.000000000 +0100
@@ -361,11 +361,10 @@
 	textdomain (PACKAGE);
 
 	ruid = getuid ();
-#ifdef WITH_SELINUX
-	amroot = (ruid == 0
-		  && selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
-#else
 	amroot = (ruid == 0);
+#ifdef WITH_SELINUX
+	if (amroot && is_selinux_enabled () > 0)
+		amroot = (selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
 #endif
 
 	/*
Index: shadow-4.0.14/src/chfn.c
===================================================================
--- shadow-4.0.14.orig/src/chfn.c	2006-02-12 16:49:26.000000000 +0100
+++ shadow-4.0.14/src/chfn.c	2006-02-12 18:21:36.000000000 +0100
@@ -378,6 +378,7 @@
 	 * check if the change is allowed by SELinux policy.
 	 */
 	if ((pw->pw_uid != getuid ())
+	    && (is_selinux_enabled () > 0)
 	    && (selinux_check_passwd_access (PASSWD__CHFN) != 0)) {
 		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
 		closelog ();
Index: shadow-4.0.14/src/chsh.c
===================================================================
--- shadow-4.0.14.orig/src/chsh.c	2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/chsh.c	2006-02-12 18:23:20.000000000 +0100
@@ -304,6 +304,7 @@
 	 * check if the change is allowed by SELinux policy.
 	 */
 	if ((pw->pw_uid != getuid ())
+	    && (is_selinux_enabled () > 0)
 	    && (selinux_check_passwd_access (PASSWD__CHSH) != 0)) {
 		SYSLOG ((LOG_WARN, "can't change shell for `%s'", user));
 		closelog ();
Index: shadow-4.0.14/src/passwd.c
===================================================================
--- shadow-4.0.14.orig/src/passwd.c	2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/passwd.c	2006-02-12 18:36:57.000000000 +0100
@@ -802,7 +802,9 @@
 	 * check if the change is allowed by SELinux policy.
 	 */
 	if ((pw->pw_uid != getuid ())
-	    && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)) {
+	    && (is_selinux_enabled () > 0 ?
+	            (selinux_check_passwd_access (PASSWD__PASSWD) != 0):
+	            !amroot)) {
 #else
 	/*
 	 * If the UID of the user does not match the current real UID,
