Bug 646484
Summary: | Replace SETUID in spec file with the correct file capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | passwd | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, matt, mgrepl, sgrubb, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 646443 | Environment: | |
Last Closed: | 2010-10-25 19:41:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 646440 |
Description
Daniel Walsh
2010-10-25 13:33:55 UTC
passwd must be effective uid 0 to be able to replace /etc/shadow with a new copy. Are you sure that DAC_OVERRIDE isn't all that's needed? Yes, I am. Even with CAP_CHOWN it is not much better as you cannot create the new /etc/shadow as a regular user because that creates a race during which the user can replace root's password hash with arbitrarily chosen value allowing him to log in. Also other pam modules might depend on other capabilities and can have similar induced vulnerabilities as the pam_unix would have. (In reply to comment #1) > passwd must be effective uid 0 to be able to replace /etc/shadow with a new > copy. I guess the solution would be to allocate a new user "shadow" to own the file and make passwd setuid to that user, unless non-root ownership of /etc/shadow would upset other programs. (In reply to comment #3) > Also other pam modules might depend on other capabilities I guess if we cared enough, we could move each feature that requires unusual capabilities into a helper executable with those capabilities, but at some cost in performance and convenience. Would it make sense to exempt all programs whose operation involves calling arbitrary PAM modules from the remove-setuid project? Probably. |