[Pkg-shadow-commits] r868 - in trunk/debian: . patches

Nicolas FRANCOIS nekral-guest at costa.debian.org
Tue Feb 21 21:55:56 UTC 2006 

Author: nekral-guest
Date: 2006-02-21 21:55:51 +0000 (Tue, 21 Feb 2006)
New Revision: 868

Added:
   trunk/debian/patches/493_selinux_no_proc
Modified:
   trunk/debian/changelog
   trunk/debian/patches/series
Log:
Only check selinux_check_passwd_access if is_selinux_enabled () > 0.
This patch should be tested in experimental in order to check it does not
break the SELinux support


Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/changelog	2006-02-21 21:55:51 UTC (rev 868)
@@ -11,8 +11,11 @@
       Better POSIX compliance and avoid failure if root password is set to '!'
       Thanks to Vagrant Cascadian for reporting and providing the patch
       Closes: #353813
+    - Only check selinux_check_passwd_access on SELinux enabled system.
+      This fix issues in passwd, chage, chfn and chsh when /proc is not
+      mounted. Closes: #352494
 
- -- Christian Perrier <bubulle at debian.org>  Tue, 14 Feb 2006 14:21:43 +0100
+ -- Christian Perrier <bubulle at debian.org>  Tue, 21 Feb 2006 22:50:33 +0100
 
 shadow (1:4.0.14-6) unstable; urgency=low
 

Added: trunk/debian/patches/493_selinux_no_proc
===================================================================
--- trunk/debian/patches/493_selinux_no_proc	2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/patches/493_selinux_no_proc	2006-02-21 21:55:51 UTC (rev 868)
@@ -0,0 +1,82 @@
+Goal: Do not fail if /proc is not mounted
+      (passwd, chfn, chage, chsh)
+
+Fixes: #352494, #353562
+
+Note: It works on non-SELinux systems, and when /proc is not mounted.
+      I don't know if it works on SELinux systems.
+
+      IMHO, the following should be tested:
+      * try to use chage on another user's account
+      * try to use chfn on another user's account
+      * try to use chsh on another user's account
+      * try to chnage the password of another user's account
+
+      In the following cases:
+      + from an UID=0 account without SELinux permission
+      + from an UID!=0 account with SELinux permission
+      + from an UID=0 account with SELinux permission
+
+      (only the later should be permitted)
+
+The "with SELinux permission" probably means passwd, chfn, chsh or rootok
+in an SELinux policy.
+
+Index: shadow-4.0.14/src/chage.c
+===================================================================
+--- shadow-4.0.14.orig/src/chage.c	2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chage.c	2006-02-20 20:49:22.000000000 +0100
+@@ -361,11 +361,10 @@
+ 	textdomain (PACKAGE);
+ 
+ 	ruid = getuid ();
+-#ifdef WITH_SELINUX
+-	amroot = (ruid == 0
+-		  && selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
+-#else
+ 	amroot = (ruid == 0);
++#ifdef WITH_SELINUX
++	if (amroot && is_selinux_enabled () > 0)
++		amroot = (selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
+ #endif
+ 
+ 	/*
+Index: shadow-4.0.14/src/chfn.c
+===================================================================
+--- shadow-4.0.14.orig/src/chfn.c	2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chfn.c	2006-02-20 20:49:22.000000000 +0100
+@@ -378,6 +378,7 @@
+ 	 * check if the change is allowed by SELinux policy.
+ 	 */
+ 	if ((pw->pw_uid != getuid ())
++	    && (is_selinux_enabled () > 0)
+ 	    && (selinux_check_passwd_access (PASSWD__CHFN) != 0)) {
+ 		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
+ 		closelog ();
+Index: shadow-4.0.14/src/chsh.c
+===================================================================
+--- shadow-4.0.14.orig/src/chsh.c	2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chsh.c	2006-02-20 20:49:22.000000000 +0100
+@@ -304,6 +304,7 @@
+ 	 * check if the change is allowed by SELinux policy.
+ 	 */
+ 	if ((pw->pw_uid != getuid ())
++	    && (is_selinux_enabled () > 0)
+ 	    && (selinux_check_passwd_access (PASSWD__CHSH) != 0)) {
+ 		SYSLOG ((LOG_WARN, "can't change shell for `%s'", user));
+ 		closelog ();
+Index: shadow-4.0.14/src/passwd.c
+===================================================================
+--- shadow-4.0.14.orig/src/passwd.c	2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/passwd.c	2006-02-20 21:33:19.000000000 +0100
+@@ -802,7 +802,9 @@
+ 	 * check if the change is allowed by SELinux policy.
+ 	 */
+ 	if ((pw->pw_uid != getuid ())
+-	    && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)) {
++	    && (   !amroot
++	        || (   (is_selinux_enabled () > 0)
++	            && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)))) {
+ #else
+ 	/*
+ 	 * If the UID of the user does not match the current real UID,

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/patches/series	2006-02-21 21:55:51 UTC (rev 868)
@@ -51,6 +51,7 @@
 490_link_selinux_only_when_needed
 491_configure.in_friendly_selinux_detection
 492_manpages_typos
+493_selinux_no_proc
 # 999-2 is about using cdbs. It does not patch upstream files
 # so shouldn't be here, but we keep it for the future
 # 999-2_build_using_cdbs

More information about the Pkg-shadow-commits mailing list