[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    please delete kcheckpass.te
From:       Russell Coker <russell () coker ! com ! au>
Date:       2003-09-23 8:45:31
[Download RAW message or body]

Please delete the policy for kcheckpass.

The problem with kcheckpass was that it is SUID root in Debian.  This is a bug 
as it can run fine without being SUID, if kcheckpass is run from your UID 
then the SUID helper program unix_chkpwd will be run (which has appropriate 
policy support).  This is better than granting kcheckpass direct access to /
etc/shadow as it means that we have less programs with access to the shadow 
file so an attacker who wants to obtain a copy of it has less potential 
targets.

Debian users should give kcheckpass mode 0755 (I have filed a Debian bug 
report about this already).  Red Hat appears to not have this bug.

Once kcheckpass is not run UID==0 then the pam_unix.so code will automatically 
run unix_chkpwd.  Currently the pam_unix.so code will abort if it can't 
read /etc/shadow and it's UID==0, I consider this a bug in pam.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]