Red Hat Bugzilla – Full Text Bug Listing
|Summary:||add pam_sepermit to sshd pam config to block confined users in permissive mode|
|Product:||[Fedora] Fedora||Reporter:||Dominick Grift <dominick.grift>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||10||CC:||dwalsh, mgrepl, tmraz|
|Fixed In Version:||openssh-5.1p1-5.fc11||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-02-12 10:41:22 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Dominick Grift 2008-11-15 11:46:39 EST
Description of problem: - man page for pam selinux permit is missing - /etc/security/sepermit.conf, %seuser option does not work - pam sepermit entry missing in /etc/pam.d/sshd Version-Release number of selected component (if applicable): pam-1.0.2-2.fc10.x86_64 Additional info: - there use to be a man page for pam sepermit now it is gone (man pam_selinux_sepermit) http://danwalsh.livejournal.com/13376.html http://danwalsh.livejournal.com/18865.html - echo "%seuser guest_u" >> /etc/security/sepermit.conf does not deny access for seuser guest_u when selinux in permissive mode. - guest_u, like xguest_u are seusers available by default. pam.d/gdm is set up properly for xguest_u by default (has sepermit pam entry plus name space pam entry), however this is not the case for guest_u and pam.d/sshd ( missing sepermit pam entry and namespace pam entry)
Comment 1 Tomas Mraz 2008-11-16 11:23:03 EST
Please do not put multiple bugs into one bug report next time. The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page. You must add %guest_u to sepermit.conf not %seuser guest_u. sshd is not set by default because the xguest user is not supposed to be allowed in by sshd.
Comment 2 Dominick Grift 2008-11-16 12:11:35 EST
thanks for clarifying point one and two. sorry for the false alarm. about point 3 though: xguest_u is not allowed to use sshd, only gdm. true. however guest_u is not allowed to use gdm, only sshd...
Comment 3 Tomas Mraz 2008-11-18 03:08:33 EST
Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode?
Comment 4 Daniel Walsh 2008-11-18 11:43:09 EST
I think adding it is fine and probably a good idea, blocking guest_u logins with SELinux disabled or permissive is also a good idea. I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this. If I install the xguest package I do not want xguest user to be accessable via no password from the internet.
Comment 5 Tomas Mraz 2008-11-18 12:51:18 EST
I would use different pam config entry for sshd that would not allow passwordless logins.
Comment 6 Daniel Walsh 2008-11-18 13:06:06 EST
That is my only concern. I would like to get to the point where we could experiment with returning random UIDs from a range of uid. So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories. Perhaps without a password.
Comment 7 Bug Zapper 2008-11-26 00:27:13 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping