Bug 126300
Summary: | 'su':inconsistent setting of XAUTHORITY env variable | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | coreutils | Assignee: | Tim Waugh <twaugh> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, nalin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-12-08 16:22:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2004-06-18 18:24:39 UTC
I think the SELinux policy is causing a failure in pam_xauth (specifically, a "permission denied" error attempting to read the user's .xauth/export file to check that the invoking user wishes to allow forwarding cookies to the target user -- any failure other than "no such file" is treated as an error). If anything pam_xauth attempts to do fails in this way, it steps aside and does nothing, leaving XAUTHORITY unmodified, holding a bad value. Looks like xauth creates 2 'lock' files: /home/USER/.Xauthority-c and /home/USER/.Xauthority-l. They are mode 600, owned by USER, with SELinux label user_u:object_r:user_home_xauth_t. I don't see any AVC messages indicating SELinux denial (although I am running a broken sysklogd). Is it possible that pam_xauth sees the lock files and 'silently' fails, leaving XAUTHORITY unmodified? 'su' is not waiting for access to the lock. Assuming that is the case, could this lead to some sort of DOS (or other) situation, where a malicious app of some sort creates files that mimic these lock-files, thereby fooling pam_xauth? I would think this would be a more realistic scenario if the system was not running SELinux/enforcing..... Is there some 'safe' fall-back value for XAUTHORITY that pam_xauth could use in this case? |