userspace checking in passwd command
Daniel J Walsh
dwalsh at redhat.com
Fri Oct 5 19:32:23 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KaiGai Kohei wrote:
> Dan,
>
> Now, I'm tracking the userspace extensions in passwd command
> to port them into busybox.
>
> check_selinux_access() is defined as an extension of passwd,
> and it enables to confirm passwd:{passwd} permission when
> root (uid==0) executes this commans.
> However, there is a condition to bypass this checking.
> I cannot make sure the meaning of the condition.
>
> See the following implementation of the function.
> ---------------------------
> 48 int
> 49 check_selinux_access(const char *change_user, int change_uid, unsigned int access)
> 50 {
> 51 int status = -1;
> 52 security_context_t user_context;
> 53 const char *user;
> 54
> 55 if (security_getenforce() == 0) {
> 56 status = 0;
> 57 } else {
> 58 if (getprevcon(&user_context) == 0) {
> 59 context_t c;
> 60 c = context_new(user_context);
> 61 user = context_user_get(c);
> 62 if (change_uid != 0 && strcmp(change_user, user) == 0) {
> 63 status = 0;
> 64 } else {
> 65 struct av_decision avd;
> 66 int retval;
> 67 retval = security_compute_av(user_context,
> 68 user_context,
> 69 SECCLASS_PASSWD,
> 70 access,
> 71 &avd);
> 72 if ((retval == 0) &&
> 73 ((access & avd.allowed) == access)) {
> 74 status = 0;
> 75 }
> 76 }
> 77 context_free(c);
> 78 freecon(user_context);
> 79 }
> 80 }
> 81 return status;
> 82 }
> ---------------------------
> In line 62, it compares the target uid and username, then checking
> passwd:{passwd} is skipped when UID is non-privileged user and username
> matched with user field in its security context.
>
> Could you tell me the reason why such a checking is applied.
> If it is not necessary, I think we can use checkPasswdAccess() instead.
>
> Thanks,
This allows the user to change his own password.
The idea is to prevent someone running as UID 0 from changing someone
elses password unless they have the passwd:passwd priv.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHBpFGrlYvE4MpobMRAgfGAJ4zDCJt9KfqfE5l7O1AX2J9WblEQgCfWIwW
7forpRiq20aXDnu2AouKyAw=
=nK/i
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list