Bug 196851 - passwd -d account
Summary: passwd -d account
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: passwd
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks: FC6Target
TreeView+ depends on / blocked
 
Reported: 2006-06-27 09:16 UTC by Florian La Roche
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: passwd-0.73-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-17 08:09:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Florian La Roche 2006-06-27 09:16:21 UTC 
Description of problem:
With a stripped down /proc, "passwd -d account" does not work, even though
selinux is disabled:

brk(0x9a4c000)                          = 0x9a4c000
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=447, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f21000
read(3, "# This file controls the state o"..., 4096) = 447
close(3)                                = 0
munmap(0xb7f21000, 4096)                = 0
open("/proc/mounts", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getuid32()                              = 0
open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("/proc/self/attr/prev", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("(null)/enforce", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getuid32()                              = 0
write(2, "Only root can do that.\n", 23) = 23
exit_group(-2)                          = ?

Looks like a bit too restrictive checks.

regards,

Florian La Roche



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Mraz 2006-06-27 19:01:50 UTC 
The passwd just calls checkPasswdAccess from libselinux. The problem is that the
is_selinux_enabled() function in libselinux uses /proc/filesystems to find out
if there is selinuxfs and returns -1 if /proc/filesystems cannot be opened.

The question is if there is better way how to check if selinux is enabled.
Comment 2 Daniel Walsh 2006-07-11 20:44:10 UTC 
This change should fix it.
--- passwd-0.70/passwd.c~       2005-08-13 06:06:03.000000000 -0400
+++ passwd-0.70/passwd.c        2006-07-11 16:51:15.000000000 -0400
@@ -261,7 +261,9 @@
        /* The only flag which unprivileged users get to use is -k. */
        if ((passwd_flags & ~PASSWD_KEEP) &&
 #ifdef WITH_SELINUX
-           ((getuid() != 0) || selinux_check_passwd_access(PASSWD__PASSWD))) {
+           ((getuid() != 0) ||
+            (is_selinux_enabled() <= 0) ||
+            selinux_check_passwd_access(PASSWD__PASSWD)) {
 #else
            (getuid() != 0)) {
 #endif
Comment 3 Tomas Mraz 2006-07-11 21:52:56 UTC 
I'll fix it in passwd then.
Comment 4 Florian La Roche 2006-07-16 06:48:16 UTC 
The above change doesn't help, so I am re-opening this.

regards,

Florian La Roche
Comment 5 Florian La Roche 2006-07-16 21:44:21 UTC 
Dan's suggestion is ok, but just needs a small adjustment with the
following logic AFAIK:

--- passwd-0.69/passwd.c
+++ passwd-0.72/passwd.c
@@ -307,7 +265,8 @@
        /* The only flag which unprivileged users get to use is -k. */
        if ((passwd_flags & ~PASSWD_KEEP) &&
 #ifdef WITH_SELINUX
-           ((getuid() != 0) || checkPasswdAccess(PASSWD__PASSWD))) {
+           ((getuid() != 0) || (is_selinux_enabled() > 0 &&
+                   checkPasswdAccess(PASSWD__PASSWD)))) {
 #else
            (getuid() != 0)) {
 #endif
Comment 6 Tomas Mraz 2006-07-17 08:09:41 UTC 
Oops, that was obviously wrong, I should have tested that. Fixed.
Note You need to log in before you can comment on or make changes to this bug.