Bug 293181

Summary: pam_unix should user helper apps first, check shadow second.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-19 08:08:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Walsh 2007-09-17 13:00:23 UTC 
Description of problem:

pam_unix currently defaults to checking for read access on /etc/shadow and then
fails over to using the helper applications.  This causes us to have to add 
dontaudit DOMAIN shadow_t:file r_file_perms lines to every app that uses pam. 
This prevents us from actually realizing whether a domain is tring to steal the
shadow file. 

Making this change would allow us to remove the dontaudit rule.

The code should try to execute the helper apps and if it fails to be able to
execute them (File does not exist, file is not executable), failover to using
the /etc/shadow.
Comment 1 Tomas Mraz 2007-09-19 08:08:38 UTC 
Fixed in pam-0.99.8.1-7.fc8

I don't try to read /etc/shadow directly when helper fails as the helper is
always installed and reading /etc/shadow doesn't make sense. But the helper is
executed only when selinux is enabled.