Question about chsh/chfn/passwd patches

Question about chsh/chfn/passwd patches

[Thorsten Kukuk]

Hi,

I have a question about the passwd/chfn/chsh patches.

passwd only calls checkAccess. chfn/chsh additional calls 
setupDefaultContext. 

I don't understand what the last function makes. For what is it good,
and why don't we need to call it from passwd?

  Thanks,
    Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Stephen Smalley]

On Tue, 2003-10-14 at 23:44, Thorsten Kukuk wrote:
> I have a question about the passwd/chfn/chsh patches.
> 
> passwd only calls checkAccess. chfn/chsh additional calls 
> setupDefaultContext. 
> 
> I don't understand what the last function makes. For what is it good,
> and why don't we need to call it from passwd?

IIRC, for the RH passwd program, this is handled by the libuser patch.
The call is necessary to preserve the security attributes on /etc/passwd
and /etc/shadow when they are rewritten for updates.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Thorsten Kukuk]

On Wed, Oct 15, Stephen Smalley wrote:

> On Tue, 2003-10-14 at 23:44, Thorsten Kukuk wrote:
> > I have a question about the passwd/chfn/chsh patches.
> > 
> > passwd only calls checkAccess. chfn/chsh additional calls 
> > setupDefaultContext. 
> > 
> > I don't understand what the last function makes. For what is it good,
> > and why don't we need to call it from passwd?
> 
> IIRC, for the RH passwd program, this is handled by the libuser patch.
> The call is necessary to preserve the security attributes on /etc/passwd
> and /etc/shadow when they are rewritten for updates.

Ok, since I copy always all attributes if I modify /etc/passwd and
/etc/shadow (to make sure to preserve ACLs and security attributes),
I don't need it.

  Thanks,
    Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Stephen Smalley]

On Wed, 2003-10-15 at 14:31, Thorsten Kukuk wrote:
> Ok, since I copy always all attributes if I modify /etc/passwd and
> /etc/shadow (to make sure to preserve ACLs and security attributes),
> I don't need it.

The problem with simply preserving attributes via setxattr is that you
cannot create the new file immediately with the desired attributes, so
there is a window where the new file exists with the default attribute
value, typically inherited from the parent directory.  Note that this is
particularly a concern for /etc/passwd and /etc/shadow, since they live
in the same parent directory but have differing protection requirements.

The SELinux setfscreatecon() interface (implemented via the
/proc/pid/attr/fscreate API) allows a process to set the desired
security context for subsequent file creations, similar to the umask. 
You'll notice that many of the SELinux patches use this interface to set
the desired context prior to creating the new file, so that files are
immediately created with the right context and are protected
accordingly.  This is one of the reasons we don't just use the EA patch
for coreutils and instead have our own.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Thorsten Kukuk]

On Wed, Oct 15, Stephen Smalley wrote:

> On Wed, 2003-10-15 at 14:31, Thorsten Kukuk wrote:
> > Ok, since I copy always all attributes if I modify /etc/passwd and
> > /etc/shadow (to make sure to preserve ACLs and security attributes),
> > I don't need it.
> 
> The problem with simply preserving attributes via setxattr is that you
> cannot create the new file immediately with the desired attributes, so
> there is a window where the new file exists with the default attribute
> value, typically inherited from the parent directory.  Note that this is
> particularly a concern for /etc/passwd and /etc/shadow, since they live
> in the same parent directory but have differing protection requirements.

Ok, I think it is trivial to do a getfscreatecon, call setfscreatecon
with the permissions of the passwd file and restore the original
fscreate values afterwards.

But it would be interesting to know how somebody could be able to do
something forbidden with the following:

Create temporary file with mkstemp, mode 0600, owner root:root.
Copy EA attributes.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Stephen Smalley]

On Wed, 2003-10-15 at 15:04, Thorsten Kukuk wrote:
> Ok, I think it is trivial to do a getfscreatecon, call setfscreatecon
> with the permissions of the passwd file and restore the original
> fscreate values afterwards.

Actually, this would be getfilecon() and then setfscreatecon().
getfilecon (which simply is a wrapper around getxattr that encapsulates
the attribute name for SELinux and provides automatic allocation of the
buffer) gets the context of a specified file, whereas getfscreatecon()
gets the fscreate context of the current process.

> But it would be interesting to know how somebody could be able to do
> something forbidden with the following:
> 
> Create temporary file with mkstemp, mode 0600, owner root:root.
> Copy EA attributes.

You're assuming that root is god.  Not so with a mandatory access
control scheme like SELinux.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Thorsten Kukuk]

On Wed, Oct 15, Stephen Smalley wrote:

> On Wed, 2003-10-15 at 15:04, Thorsten Kukuk wrote:
> > Ok, I think it is trivial to do a getfscreatecon, call setfscreatecon
> > with the permissions of the passwd file and restore the original
> > fscreate values afterwards.
> 
> Actually, this would be getfilecon() and then setfscreatecon().

No, I mean at first getfscreatecon. You cannot assume that a program
calling a library modifying /etc/passwd does not create any other files.
And in the later case it could be that we don't wish that this files
will be created with the passwd context. Only think about useradd and
creating home directories.
So you have to backup the original values at first and restore them
afterwards.

> > But it would be interesting to know how somebody could be able to do
> > something forbidden with the following:
> > 
> > Create temporary file with mkstemp, mode 0600, owner root:root.
> > Copy EA attributes.
> 
> You're assuming that root is god.  Not so with a mandatory access
> control scheme like SELinux.

No, I don't assume that root is god. 

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrnstr. 15-19        D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about chsh/chfn/passwd patches

[Stephen Smalley]

On Wed, 2003-10-15 at 15:30, Thorsten Kukuk wrote:
> No, I mean at first getfscreatecon. You cannot assume that a program
> calling a library modifying /etc/passwd does not create any other files.
> And in the later case it could be that we don't wish that this files
> will be created with the passwd context. Only think about useradd and
> creating home directories.
> So you have to backup the original values at first and restore them
> afterwards.

Sorry, I misunderstood you.  Yes, the libuser and pam pwdb patches do
this as well.

> No, I don't assume that root is god.

Then you're assuming full revocation support, which doesn't exist, at
least not yet.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.