'Re: MAC and pam_nologin (was Re: man-pages-3.15 is released)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-security-module
Subject:    Re: MAC and pam_nologin (was Re: man-pages-3.15 is released)
From:       Valdis.Kletnieks () vt ! edu
Date:       2008-12-06 6:26:35
Message-ID: 12563.1228544795 () turing-police ! cc ! vt ! edu
[Download RAW message or body]

On Sat, 06 Dec 2008 14:04:07 +0900, Tetsuo Handa said:

(Not really a LSM or kernel issue, and I think mtk.man does kernel
manpages only.  At least on my Fedora and RedHat systems, the 'login' manpage
comes from util-linux, so any manpage fixes would go via that route).

> But this description becomes inaccurate when MAC (e.g. SELinux) is enabled.
> 
> MAC can deny open("/etc/nologin", O_RDONLY) by root user. Thus,
> 
>   # ln /etc/shadow /etc/nologin
> 
> will create /etc/nologin which is *not readable* by login(1).
> As a result, non-root user's logins are permitted while /etc/nologin *exists*
> 
> I guess pam_nologin is using a code like
> 
>   fp = fopen("/etc/nologin", "r");
>   if (fp)
>      /* print the contents of /etc/nologin and reject login request. */

Rather than guessing, maybe a check of what the source code actually *does*
would be better?

> So, I think either one of below modifications is needed.
> 
> (1) Change the description of manpage like
> 
>   If the file /etc/nologin *is readable*, login (1) will allow access only to
>   root. Other users will be shown the contents of this file and their logins
>   will be refused.
> 
> (2) Change the code of pam_nologin like
> 
>   fd = open("/etc/nologin", O_RDONLY);
>   if (fd != EOF || errno != ENOENT)
>      /* print the contents of /etc/nologin and reject login request. */

(3) Recognize that a sysadmin who intentionally goes and creates a
/etc/nologin via insane means deserves the insane results.  You have to
go out of your way to actually create a case where the distinction between
"exists" and "is readable" matters.

Having said that, we probably *should* fix 'man login' to say 'is readable'.



[Attachment #3 (application/pgp-signature)]
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic