[Pkg-shadow-commits] r868 - in trunk/debian: . patches
Nicolas FRANCOIS
nekral-guest at costa.debian.org
Tue Feb 21 21:55:56 UTC 2006
Author: nekral-guest
Date: 2006-02-21 21:55:51 +0000 (Tue, 21 Feb 2006)
New Revision: 868
Added:
trunk/debian/patches/493_selinux_no_proc
Modified:
trunk/debian/changelog
trunk/debian/patches/series
Log:
Only check selinux_check_passwd_access if is_selinux_enabled () > 0.
This patch should be tested in experimental in order to check it does not
break the SELinux support
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/changelog 2006-02-21 21:55:51 UTC (rev 868)
@@ -11,8 +11,11 @@
Better POSIX compliance and avoid failure if root password is set to '!'
Thanks to Vagrant Cascadian for reporting and providing the patch
Closes: #353813
+ - Only check selinux_check_passwd_access on SELinux enabled system.
+ This fix issues in passwd, chage, chfn and chsh when /proc is not
+ mounted. Closes: #352494
- -- Christian Perrier <bubulle at debian.org> Tue, 14 Feb 2006 14:21:43 +0100
+ -- Christian Perrier <bubulle at debian.org> Tue, 21 Feb 2006 22:50:33 +0100
shadow (1:4.0.14-6) unstable; urgency=low
Added: trunk/debian/patches/493_selinux_no_proc
===================================================================
--- trunk/debian/patches/493_selinux_no_proc 2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/patches/493_selinux_no_proc 2006-02-21 21:55:51 UTC (rev 868)
@@ -0,0 +1,82 @@
+Goal: Do not fail if /proc is not mounted
+ (passwd, chfn, chage, chsh)
+
+Fixes: #352494, #353562
+
+Note: It works on non-SELinux systems, and when /proc is not mounted.
+ I don't know if it works on SELinux systems.
+
+ IMHO, the following should be tested:
+ * try to use chage on another user's account
+ * try to use chfn on another user's account
+ * try to use chsh on another user's account
+ * try to chnage the password of another user's account
+
+ In the following cases:
+ + from an UID=0 account without SELinux permission
+ + from an UID!=0 account with SELinux permission
+ + from an UID=0 account with SELinux permission
+
+ (only the later should be permitted)
+
+The "with SELinux permission" probably means passwd, chfn, chsh or rootok
+in an SELinux policy.
+
+Index: shadow-4.0.14/src/chage.c
+===================================================================
+--- shadow-4.0.14.orig/src/chage.c 2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chage.c 2006-02-20 20:49:22.000000000 +0100
+@@ -361,11 +361,10 @@
+ textdomain (PACKAGE);
+
+ ruid = getuid ();
+-#ifdef WITH_SELINUX
+- amroot = (ruid == 0
+- && selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
+-#else
+ amroot = (ruid == 0);
++#ifdef WITH_SELINUX
++ if (amroot && is_selinux_enabled () > 0)
++ amroot = (selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
+ #endif
+
+ /*
+Index: shadow-4.0.14/src/chfn.c
+===================================================================
+--- shadow-4.0.14.orig/src/chfn.c 2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chfn.c 2006-02-20 20:49:22.000000000 +0100
+@@ -378,6 +378,7 @@
+ * check if the change is allowed by SELinux policy.
+ */
+ if ((pw->pw_uid != getuid ())
++ && (is_selinux_enabled () > 0)
+ && (selinux_check_passwd_access (PASSWD__CHFN) != 0)) {
+ fprintf (stderr, _("%s: Permission denied.\n"), Prog);
+ closelog ();
+Index: shadow-4.0.14/src/chsh.c
+===================================================================
+--- shadow-4.0.14.orig/src/chsh.c 2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/chsh.c 2006-02-20 20:49:22.000000000 +0100
+@@ -304,6 +304,7 @@
+ * check if the change is allowed by SELinux policy.
+ */
+ if ((pw->pw_uid != getuid ())
++ && (is_selinux_enabled () > 0)
+ && (selinux_check_passwd_access (PASSWD__CHSH) != 0)) {
+ SYSLOG ((LOG_WARN, "can't change shell for `%s'", user));
+ closelog ();
+Index: shadow-4.0.14/src/passwd.c
+===================================================================
+--- shadow-4.0.14.orig/src/passwd.c 2006-02-20 20:49:21.000000000 +0100
++++ shadow-4.0.14/src/passwd.c 2006-02-20 21:33:19.000000000 +0100
+@@ -802,7 +802,9 @@
+ * check if the change is allowed by SELinux policy.
+ */
+ if ((pw->pw_uid != getuid ())
+- && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)) {
++ && ( !amroot
++ || ( (is_selinux_enabled () > 0)
++ && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)))) {
+ #else
+ /*
+ * If the UID of the user does not match the current real UID,
Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series 2006-02-21 09:54:16 UTC (rev 867)
+++ trunk/debian/patches/series 2006-02-21 21:55:51 UTC (rev 868)
@@ -51,6 +51,7 @@
490_link_selinux_only_when_needed
491_configure.in_friendly_selinux_detection
492_manpages_typos
+493_selinux_no_proc
# 999-2 is about using cdbs. It does not patch upstream files
# so shouldn't be here, but we keep it for the future
# 999-2_build_using_cdbs
More information about the Pkg-shadow-commits
mailing list