[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: please delete kcheckpass.te
From: Russell Coker <russell () coker ! com ! au>
Date: 2003-09-23 8:45:31
[Download RAW message or body]
Please delete the policy for kcheckpass.
The problem with kcheckpass was that it is SUID root in Debian. This is a bug
as it can run fine without being SUID, if kcheckpass is run from your UID
then the SUID helper program unix_chkpwd will be run (which has appropriate
policy support). This is better than granting kcheckpass direct access to /
etc/shadow as it means that we have less programs with access to the shadow
file so an attacker who wants to obtain a copy of it has less potential
targets.
Debian users should give kcheckpass mode 0755 (I have filed a Debian bug
report about this already). Red Hat appears to not have this bug.
Once kcheckpass is not run UID==0 then the pam_unix.so code will automatically
run unix_chkpwd. Currently the pam_unix.so code will abort if it can't
read /etc/shadow and it's UID==0, I consider this a bug in pam.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic