[Pkg-shadow-devel] Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support
Russell Coker
russell at coker.com.au
Tue Mar 25 11:46:49 UTC 2008
On Tuesday 25 March 2008 21:03, Nicolas François
<nicolas.francois at centraliens.net> wrote:
> > I'll send a patch for unstable shortly (this patch may work with unstable
> > but I haven't had a chance to test it).
>
> That is not necessary. The patch is clear, and I will port it to 4.1.1.
Thanks! I won't be able to test it for some days however due to the lack of
2.4.24 Xen kernel support in Debian. The Etch kernel has an older version of
the SE Linux code and doesn't work properly with Unstable SE Linux.
> Is this something that should be also applied to the other tools of the
> shadow toolsuite?
Yes, something similar (but not quite the same) needs to be applied to chfn
and chsh.
> (usermod, userdel, newusers, chpasswd could all be used to change the
> user's password; chage, or chfn could also do some harm by locking the
> account, the password or some logins (but I don't know if root would be
> affected))
usermod, userdel, newusers, and chpasswd are (or at least should be) already
covered. There is a separate domain for sys-admin password manipulation
programs which can only be entered by the sys-admin.
The difficulty comes when one program is used by an unprivileged user to
change their own password and also by the sys-admin. It would make sense to
me to have two versions of passwd and crontab to avoid this confusion, but
it's probably decades too late to revise this decision.
> Just to understand a bit more SE Linux, why don't you want to protect
> against changes to non-root accounts?
There is already code to validate the non-root user's password before changing
it. That is sufficient.
The idea is that to change a password you must know the old password or have
suitable sys-admin rights.
> (If I understand correctly, an extra command is needed to get the user_r
> role, and you don't want to force admins to use this command for every
> changes, only the ones which may endanger the system. Is that right?)
Changing other user's password will be done from sysadm_r and it requires no
special effort once you are logged in with that role. In some configurations
you can't login directly as sysadm_r in which case you need to use
the "newrole" program first (in a similar way to logging in as non-root and
running "su -" before sys-admin work).
More information about the Pkg-shadow-devel
mailing list