Bug 293181 - pam_unix should user helper apps first, check shadow second.
pam_unix should user helper apps first, check shadow second.
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-17 09:00 EDT by Daniel Walsh
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-19 04:08:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2007-09-17 09:00:23 EDT
Description of problem:

pam_unix currently defaults to checking for read access on /etc/shadow and then
fails over to using the helper applications.  This causes us to have to add 
dontaudit DOMAIN shadow_t:file r_file_perms lines to every app that uses pam. 
This prevents us from actually realizing whether a domain is tring to steal the
shadow file. 

Making this change would allow us to remove the dontaudit rule.

The code should try to execute the helper apps and if it fails to be able to
execute them (File does not exist, file is not executable), failover to using
the /etc/shadow.
Comment 1 Tomas Mraz 2007-09-19 04:08:38 EDT
Fixed in pam-

I don't try to read /etc/shadow directly when helper fails as the helper is
always installed and reading /etc/shadow doesn't make sense. But the helper is
executed only when selinux is enabled.

Note You need to log in before you can comment on or make changes to this bug.