Bug 174362 - RHEL4: pam_access.so does not work with rexec for IP/hostname restriction
RHEL4: pam_access.so does not work with rexec for IP/hostname restriction
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rsh (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks: 187538
  Show dependency treegraph
 
Reported: 2005-11-28 10:00 EST by Karel Zak
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2006-0361
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-10 18:09:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Zak 2005-11-28 10:00:00 EST
+++ This bug was initially created as a clone of Bug #174146 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7

Description of problem:
We need to restrict rexec access by IP/hostname. But the combo of pam_access and
rexec does not work together for this purpose. 

The following are the conf files:
# cat /etc/pam.d/rexec
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rexec" must be
# listed in /etc/securetty.
auth       required     pam_nologin.so
auth       required     pam_securetty.so
auth       required     pam_env.so
auth       required     pam_stack.so service=system-auth
account    required     pam_access.so accessfile=/etc/pam.d/rexec.access
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

# cat /etc/pam.d/rexec.access
+:user1:testhost1
-:ALL:ALL

Version-Release number of selected component (if applicable):
pam-0.75-62, rsh-server-0.17-17

How reproducible:
Always

Steps to Reproduce:
1. From 'testhost1' server, type command: rexec -ad -l user1 -p user1_password
rexecd_server_name '/bin/touch /tmp/testing1.txt'
2. The above will fail every time, file '/var/log/message' would show that
pam_access says that "access denied for user `user1' from `rexec'"
3. But if I change the file '/etc/pam.d/rexec.access' to be:
+:user1:rexec
-:ALL:ALL

Or if I change the file to be:
+:user1:ALL
-:ALL:ALL

Then the rexec will always suceed.
  

Actual Results:  rexec: Host = rexecd_server_name
rexec: Command to execute = /bin/touch /tmp/testing1.txt
testinghost1: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: No such file or directory

Expected Results:  /tmp/testing1.txt should have been created in server
'rexecd_server_name'

Additional info:

I also tested this pam/rsh-server combo for RHEL ES3U6 (as the rexecd_server),
it also failed in the same way. It seems rexec could not work well with
pam_access.so.

-- Additional comment from tmraz@redhat.com on 2005-11-25 07:32 EST --
This is clearly a problem in rexec not pam_access.


-- Additional comment from hxwu@tribune.com on 2005-11-25 15:34 EST --
Here are more information from /var/log/messages in rexecd server:
Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd[20200]: connect from
testhost1
Nov 25 14:01:25 rexecd_server_name pam_access[20200]: access denied for user
`asrc' from `rexec'

The messages indicates that in.rexecd knows that the connection came from
'testhost1', but pam_access doesn't know the source of the connection, it just
knew it came from 'rexec'. Not sure if this would be helpful.

-- Additional comment from kzak@redhat.com on 2005-11-28 09:14 EST --
You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host);
Comment 7 Red Hat Bugzilla 2006-05-10 18:09:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0361.html

Note You need to log in before you can comment on or make changes to this bug.