Bug 174828 - rsh and netgroups
rsh and netgroups
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Depends On:
  Show dependency treegraph
Reported: 2005-12-02 10:57 EST by Dimitri Papadopoulos
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-11 17:16:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/messages in permissive mode (382 bytes, text/plain)
2005-12-02 11:02 EST, Dimitri Papadopoulos
no flags Details
/var/log/messages in enforcing mode (117 bytes, text/plain)
2005-12-02 11:04 EST, Dimitri Papadopoulos
no flags Details
relevant part of /var/log/audit/audit.log (4.21 KB, text/plain)
2005-12-07 05:59 EST, Dimitri Papadopoulos
no flags Details

  None (edit)
Description Dimitri Papadopoulos 2005-12-02 10:57:11 EST
Description of problem:
The default SELinux policy for FC4 breaks use of rsh with netgroups.
We run NIS. All our workstations are part of netgroup 'shfj':
	$ ypcat -k netgroup
	shfj [...] (foobar,,) [...]
	$ cat /etc/hosts.equiv
We also have a special account (let's call this account 'special') and a
netgroup of users called 'special_users':
	$ ypcat -k netgroup
	special_users (,dimitri,) [...]
Members of this 'special_users' group may log into account 'special' without
	special@localhost $ cat ~/.rhosts
	+@special_users  +@special_users
We have enabled rsh on our FC4 workstations and added 'promiscuous' so that
netgroups can be taken into account:
	$ cat /etc/xinetd.d/rsh
	#       disable                 = yes
	$ cat /etc/pam.d/rsh
	auth       required     pam_rhosts_auth.so promiscuous
When not in enforcing mode rsh works as expected, it doesn't ask for a password
when trying to rsh as user 'special':
	# setenforce 0
	dimitri@foobar $ rsh localhost -l special
	special@foobar $ 
It does prompt for the 'special' account password in enforcing mode:
	# setenforce 1
	dimitri@foobar $ rsh localhost -l special
Users shouldn't be prompted for a password.

Version-Release number of selected component (if applicable):

How reproducible:
Comment 1 Dimitri Papadopoulos 2005-12-02 11:02:17 EST
Created attachment 121759 [details]
/var/log/messages in permissive mode
Comment 2 Dimitri Papadopoulos 2005-12-02 11:04:08 EST
Created attachment 121760 [details]
/var/log/messages in enforcing mode
Comment 3 Daniel Walsh 2005-12-06 11:02:33 EST
Could you attach /var/log/audit/audit.log avc messages?
Comment 4 Dimitri Papadopoulos 2005-12-07 05:59:00 EST
Created attachment 121965 [details]
relevant part of /var/log/audit/audit.log

For what it's worth, note that /usr/local (hence /usr/local/.rhosts) is not a
local filesystem. /usr/local is exported by an IRIX NFS server and NFS-mounted.

Note You need to log in before you can comment on or make changes to this bug.