[linux-pam] #37: Wrong SELinux AV used in pam_rootok?
by fedora-badges
#37: Wrong SELinux AV used in pam_rootok?
---------------------+------------------------------
Reporter: bigon | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: 1.1.x | Keywords: selinux
Blocked By: | Blocking:
---------------------+------------------------------
Hello,
In the pam_rootok code there is the following SELinux check that check is
a user can su to root without password.
status = selinux_check_access(user_context, user_context, "passwd",
"passwd", NULL);
Both the class and the AV are "passwd".
Looking at the Fedora SELinux policy and the refpolicy, I see there is a
"rootok" AV in the passwd class with the comment "# pam_rootok check (skip
auth)"
Shouldn't this be changed in the code too then?
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/37>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 7 months
[PATCH] doc: Clarify pam_access docs re PAM service names and X $DISPLAY value testing.
by Karl O. Pinc
From: "Karl O. Pinc" <kop(a)meme.com>
* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml
Signed-off-by: Karl O. Pinc <kop(a)meme.com>
---
modules/pam_access/access.conf.5.xml | 40 +++++++++++++++++++++++++++-------
modules/pam_access/pam_access.8.xml | 5 +++--
2 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index a4d3419..d686d92 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -21,8 +21,12 @@
<para>
The <filename>/etc/security/access.conf</filename> file specifies
(<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+ (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
+ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>), or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name</replaceable>)
combinations for which a login will be either accepted or refused.
</para>
<para>
@@ -33,7 +37,14 @@
combination, or, in case of non-networked logins, the first entry
that matches the
(<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
- combination. The permissions field of that table entry determines
+ combination, or in the case of non-networked logins without a
+ tty, the first entry that matches the
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>) or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name/</replaceable>)
+ combination. The permissions field of that table entry
+ determines
whether the login will be accepted or refused.
</para>
@@ -65,14 +76,27 @@
<para>
The third field, the <replaceable>origins</replaceable>
field, should be a list of one or more tty names (for non-networked
- logins), host names, domain names (begin with "."), host addresses,
+ logins), X <varname>$DISPLAY</varname> values or PAM service
+ names (for non-networked logins without a tty), host names,
+ domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network addresses
with network mask (where network mask can be a decimal number or an
internet address also), <emphasis>ALL</emphasis> (which always matches)
- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
- keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
- not set and <origin> field is thus set from
- <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
+ or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
+ keyword matches if and only if
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ when called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
+ empty string (and therefore the
+ <replaceable>origins</replaceable> field is compared against the
+ return value of
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_TTY</emphasis> or, absent that,
+ <emphasis>PAM_SERVICE</emphasis>).
+ </para>
+
+ <para>
If supported by the system you can use
<emphasis>@netgroupname</emphasis> in host or user patterns. The
<emphasis>@@netgroupname</emphasis> syntax is supported in the user
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index 710e2e7..c629a9f 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -50,7 +50,8 @@
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on login
names, host or domain names, internet addresses or network numbers,
- or on terminal line names in case of non-networked logins.
+ or on terminal line names, X <varname>$DISPLAY</varname> values,
+ or PAM service names in case of non-networked logins.
</para>
<para>
By default rules for access management are taken from config file
@@ -59,7 +60,7 @@
</para>
<para>
If Linux PAM is compiled with audit support the module will report
- when it denies access based on origin (host or tty).
+ when it denies access based on origin (host, tty, etc.).
</para>
</refsect1>
--
1.7.10.4
9 years, 7 months
Add grantor field to audit records
by Tomas Mraz
Hi,
this patch modifies the audit records of libpam to add a grantor field.
This field records in case of the successful authentication (or any
other successful pam module call) that the module granted the access.
The PAM_SUCCESS return is recorded only for cases where the module
really contributed to the access being granted. That means that if the
action for success is different from ok and done, the module is not
recorded.
Please review, thanks,
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
9 years, 7 months
