userspace checking in passwd command

Daniel J Walsh dwalsh at redhat.com
Fri Oct 5 19:32:23 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KaiGai Kohei wrote:
> Dan,
> 
> Now, I'm tracking the userspace extensions in passwd command
> to port them into busybox.
> 
> check_selinux_access() is defined as an extension of passwd,
> and it enables to confirm passwd:{passwd} permission when
> root (uid==0) executes this commans.
> However, there is a condition to bypass this checking.
> I cannot make sure the meaning of the condition.
> 
> See the following implementation of the function.
> ---------------------------
>     48  int
>     49  check_selinux_access(const char *change_user, int change_uid, unsigned int access)
>     50  {
>     51          int status = -1;
>     52          security_context_t user_context;
>     53          const char *user;
>     54
>     55          if (security_getenforce() == 0) {
>     56                  status = 0;
>     57          } else {
>     58                  if (getprevcon(&user_context) == 0) {
>     59                          context_t c;
>     60                          c = context_new(user_context);
>     61                          user = context_user_get(c);
>     62                          if (change_uid != 0 && strcmp(change_user, user) == 0) {
>     63                                  status = 0;
>     64                          } else {
>     65                                  struct av_decision avd;
>     66                                  int retval;
>     67                                  retval = security_compute_av(user_context,
>     68                                                               user_context,
>     69                                                               SECCLASS_PASSWD,
>     70                                                               access,
>     71                                                               &avd);
>     72                                  if ((retval == 0) &&
>     73                                      ((access & avd.allowed) == access)) {
>     74                                          status = 0;
>     75                                  }
>     76                          }
>     77                          context_free(c);
>     78                          freecon(user_context);
>     79                  }
>     80          }
>     81          return status;
>     82  }
> ---------------------------
> In line 62, it compares the target uid and username, then checking
> passwd:{passwd} is skipped when UID is non-privileged user and username
> matched with user field in its security context.
> 
> Could you tell me the reason why such a checking is applied.
> If it is not necessary, I think we can use checkPasswdAccess() instead.
> 
> Thanks,
This allows the user to change his own password.

The idea is to prevent someone running as UID 0 from changing someone
elses password unless they have the passwd:passwd priv.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHBpFGrlYvE4MpobMRAgfGAJ4zDCJt9KfqfE5l7O1AX2J9WblEQgCfWIwW
7forpRiq20aXDnu2AouKyAw=
=nK/i
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list