[Pkg-shadow-devel] Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Russell Coker
russell at coker.com.au
Mon Mar 24 23:51:54 UTC 2008
Package: passwd
Version: 1:4.0.18.1-7
Severity: normal
The following patch makes the SE Linux tests more strict, when the real UID
(the return value of getuid()) is 0 SE Linux checks will be performed.
With this patch if you are running the Strict SE Linux policy a shell user
who gains UID==0 (EG by exploiting a SUID root binary) can't change the root
password. With SE Linux Strict policy a user who has UID==0 and the role
user_r can do little damage to the system.
I'll send a patch for unstable shortly (this patch may work with unstable
but I haven't had a chance to test it).
diff -ru shadow-4.0.18.1.org/src/passwd.c shadow-4.0.18.1/src/passwd.c
--- shadow-4.0.18.1.org/src/passwd.c 2006-07-29 03:40:15.000000000 +1000
+++ shadow-4.0.18.1/src/passwd.c 2008-03-24 23:11:01.000000000 +1100
@@ -40,7 +40,9 @@
#include <sys/types.h>
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/flask.h>
#include <selinux/av_permissions.h>
+#include <selinux/context.h>
#endif
#include <time.h>
#include "defines.h"
@@ -567,6 +569,49 @@
return val;
}
+#ifdef WITH_SELINUX
+int
+check_selinux_access(const char *change_user, int change_uid, unsigned int access)
+{
+ int status = -1;
+ security_context_t user_context;
+ const char *user;
+
+ /* if in permissive mode then allow the operation */
+ if (security_getenforce() == 0)
+ return 0;
+
+ /* get the context of the process which executed passwd */
+ if (getprevcon(&user_context))
+ return -1;
+
+ /* get the "user" portion of the context (the part before the first
+ colon) */
+ context_t c;
+ c = context_new(user_context);
+ user = context_user_get(c);
+
+ /* if changing a password for an account with UID==0 or for an account
+ where the identity matches then return success */
+ if (change_uid != 0 && strcmp(change_user, user) == 0) {
+ status = 0;
+ } else {
+ struct av_decision avd;
+ int retval;
+ retval = security_compute_av(user_context, user_context,
+ SECCLASS_PASSWD, access, &avd);
+ if ((retval == 0) &&
+ ((access & avd.allowed) == access)) {
+ status = 0;
+ }
+ }
+ context_free(c);
+ freecon(user_context);
+ return status;
+}
+
+#endif
+
/*
* passwd - change a user's password file information
*
@@ -792,21 +837,32 @@
exit (E_NOPERM);
}
#ifdef WITH_SELINUX
- /*
- * If the UID of the user does not match the current real UID,
- * check if the change is allowed by SELinux policy.
- */
- if ((pw->pw_uid != getuid ())
- && (is_selinux_enabled () > 0 ?
- (selinux_check_passwd_access (PASSWD__PASSWD) != 0) :
- !amroot)) {
-#else
+ /* only do this check when getuid()==0 because it's a pre-condition for
+ changing a password without entering the old one */
+ if ((is_selinux_enabled() > 0) && (getuid() == 0) &&
+ (check_selinux_access(name, pw->pw_uid, PASSWD__PASSWD) != 0))
+ {
+ security_context_t user_context;
+ if (getprevcon(&user_context) < 0) {
+ user_context = strdup("Unknown user context");
+ }
+ syslog(LOG_ALERT,
+ "%s is not authorized to change the password of %s",
+ user_context, name);
+ fprintf(stderr, _("%s: %s is not authorized to change the "
+ "password of %s\n"),
+ Prog, user_context, name);
+ freecon(user_context);
+ exit(1);
+ }
+
+#endif
+
/*
* If the UID of the user does not match the current real UID,
* check if I'm root.
*/
if (!amroot && pw->pw_uid != getuid ()) {
-#endif
fprintf (stderr,
_
("%s: You may not view or modify password information for %s.\n"),
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages passwd depends on:
ii debianutils 2.17 Miscellaneous utilities specific t
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libpam-modules 0.79-5 Pluggable Authentication Modules f
ii libpam0g 0.79-5 Pluggable Authentication Modules l
ii libselinux1 2.0.15-2.etch1 SELinux shared libraries
ii login 1:4.0.18.1-7.1 system login tools
passwd recommends no packages.
-- debconf information excluded
More information about the Pkg-shadow-devel
mailing list