293181 – pam_unix should user helper apps first, check shadow second.

Bug 293181 - pam_unix should user helper apps first, check shadow second.

Summary: pam_unix should user helper apps first, check shadow second.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-17 13:00 UTC by Daniel Walsh
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-09-19 08:08:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2007-09-17 13:00:23 UTC

Description of problem:

pam_unix currently defaults to checking for read access on /etc/shadow and then
fails over to using the helper applications.  This causes us to have to add 
dontaudit DOMAIN shadow_t:file r_file_perms lines to every app that uses pam. 
This prevents us from actually realizing whether a domain is tring to steal the
shadow file. 

Making this change would allow us to remove the dontaudit rule.

The code should try to execute the helper apps and if it fails to be able to
execute them (File does not exist, file is not executable), failover to using
the /etc/shadow.

Comment 1 Tomas Mraz 2007-09-19 08:08:38 UTC

Fixed in pam-0.99.8.1-7.fc8

I don't try to read /etc/shadow directly when helper fails as the helper is
always installed and reading /etc/shadow doesn't make sense. But the helper is
executed only when selinux is enabled.

Note You need to log in before you can comment on or make changes to this bug.