Bug 196851 - passwd -d account
passwd -d account
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: passwd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Mike McLean
: Reopened
Depends On:
Blocks: FC6Target
  Show dependency treegraph
 
Reported: 2006-06-27 05:16 EDT by Florian La Roche
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: passwd-0.73-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-17 04:09:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian La Roche 2006-06-27 05:16:21 EDT
Description of problem:
With a stripped down /proc, "passwd -d account" does not work, even though
selinux is disabled:

brk(0x9a4c000)                          = 0x9a4c000
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=447, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f21000
read(3, "# This file controls the state o"..., 4096) = 447
close(3)                                = 0
munmap(0xb7f21000, 4096)                = 0
open("/proc/mounts", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getuid32()                              = 0
open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("/proc/self/attr/prev", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("(null)/enforce", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getuid32()                              = 0
write(2, "Only root can do that.\n", 23) = 23
exit_group(-2)                          = ?

Looks like a bit too restrictive checks.

regards,

Florian La Roche



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Mraz 2006-06-27 15:01:50 EDT
The passwd just calls checkPasswdAccess from libselinux. The problem is that the
is_selinux_enabled() function in libselinux uses /proc/filesystems to find out
if there is selinuxfs and returns -1 if /proc/filesystems cannot be opened.

The question is if there is better way how to check if selinux is enabled.
Comment 2 Daniel Walsh 2006-07-11 16:44:10 EDT
This change should fix it.
--- passwd-0.70/passwd.c~       2005-08-13 06:06:03.000000000 -0400
+++ passwd-0.70/passwd.c        2006-07-11 16:51:15.000000000 -0400
@@ -261,7 +261,9 @@
        /* The only flag which unprivileged users get to use is -k. */
        if ((passwd_flags & ~PASSWD_KEEP) &&
 #ifdef WITH_SELINUX
-           ((getuid() != 0) || selinux_check_passwd_access(PASSWD__PASSWD))) {
+           ((getuid() != 0) ||
+            (is_selinux_enabled() <= 0) ||
+            selinux_check_passwd_access(PASSWD__PASSWD)) {
 #else
            (getuid() != 0)) {
 #endif
Comment 3 Tomas Mraz 2006-07-11 17:52:56 EDT
I'll fix it in passwd then.
Comment 4 Florian La Roche 2006-07-16 02:48:16 EDT
The above change doesn't help, so I am re-opening this.

regards,

Florian La Roche
Comment 5 Florian La Roche 2006-07-16 17:44:21 EDT
Dan's suggestion is ok, but just needs a small adjustment with the
following logic AFAIK:

--- passwd-0.69/passwd.c
+++ passwd-0.72/passwd.c
@@ -307,7 +265,8 @@
        /* The only flag which unprivileged users get to use is -k. */
        if ((passwd_flags & ~PASSWD_KEEP) &&
 #ifdef WITH_SELINUX
-           ((getuid() != 0) || checkPasswdAccess(PASSWD__PASSWD))) {
+           ((getuid() != 0) || (is_selinux_enabled() > 0 &&
+                   checkPasswdAccess(PASSWD__PASSWD)))) {
 #else
            (getuid() != 0)) {
 #endif
Comment 6 Tomas Mraz 2006-07-17 04:09:41 EDT
Oops, that was obviously wrong, I should have tested that. Fixed.

Note You need to log in before you can comment on or make changes to this bug.