newrole using SELinux user identity for password lookups
Stephen Smalley
sds at epoch.ncsc.mil
Wed Apr 21 19:40:37 UTC 2004
On Wed, 2004-04-21 at 15:33, Colin Walters wrote:
> Ok, that all makes sense. Why not then just use getpwuid(getuid())
> instead of getpwnam?
>
> Hm, although I see one reason - on a SELinux system where "su" is not
> modified, and a normal user with their own SELinux user identity uses
> "su" to become uid 0, then uses newrole, they'd be prompted for the root
> password instead of their password.
>
> However for Fedora where we've modified "su", this is not an issue.
I'd rather move away from asking for a password at all in newrole, and
substitute some other user confirmation mechanism (one that doesn't risk
exposure of a secret).
> Yeah. It seems there is some work in this area going on:
> http://shellcode.org/Kernel/tpe/
TPE is _not_ related to the classical notion of trusted path at all.
Type Enforcement is a better mechanism for providing the equivalent
functionality of TPE. Trusted path is described in the latter part of
http://www.nsa.gov/selinux/papers/inevitability/#2 , among other places.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list