Description of problem: 'switch-group' (sg) to a group with a password used to work in Fedora 10. This use case no longer works in Fedora 13 & Fedora 14 I'm filing this against shadow-utils since that is where /usr/bin/sg lives but the issue may be in selinux-policy or even crypt(...) which is in glibc. Best guess here is that it seems to be an selinux issue tied to the inability of /usr/bin/newgrp (/usr/bin/sg_ too read the gshadow file). As exhibited, the problem occurs within-system, not across releases. That is: while on the same system (same fedora release), it is not possible to establish a password for a group and then sg into that group by giving the password Version-Release number of selected component (if applicable): cogently: works shadow-utils-4.1.2-9.fc10.i386, selinux-policy-targeted-3.5.13-74.fc10.noarch fails shadow-utils-4.1.4.2-8.fc14.i686, selinux-policy-targeted-3.5.13-74.fc10.noarch Perhaps the relevant selinux policy is usermanage.te? Should there be mention of newgrp, sg, gpasswd therein? ./serefpolicy-3.9.7/policy/modules/admin/usermanage.te How reproducible: 100% deterministic Steps to Reproduce: Any group name will do. We'll assign the password 'abcd' and try to sg into that group $ sudo grep roles /etc/gshadow [sudo] password for wbaker: roles:$6$DV2UG/fHY.$jBba3Li7vkg1LIbqdQXe.jw0OhSQpF3lIUJAKlvK1Je3Jvn..Uc1LMw/i8w7i.q1.VurbbgTQ/TiXOCQPWmx0/:: (this first exhibition is arbitrary ... to show the group exists) $ sudo gpasswd roles Changing the password for group roles New Password: abcd <----------------------------------- password 'abcd' Re-enter new password: abcd $ sg roles -c date Password: abcd Invalid password. <-------------------- this was unexpected $ sudo grep roles /etc/gshadow roles:$6$l9o/I/0pT1X/ULA$VW/enKZ2L8l8dL/07XuMjB0hjRaW.Je7LvNQobIV0TXIVKwhwVo0cLyGb8FhpLXGghZk5yDZHS/QC.FnrSFco/:: Actual results: $ sg roles -c date Password: abcd Invalid password. <------------------------------- failed $ cat /etc/fedora-release Fedora release 14 (Laughlin) Expected results: $ sg roles -c date Password: abcd Sun Dec 26 13:08:44 PST 2010 <--------------------- succeeded $ cat /etc/fedora-release Fedora release 10 (Cambridge) Additional info: works on Fedora 10 $ cat /etc/fedora-release; sudo lsattr /etc/{passwd,group,shadow,gshadow} ; echo -- ; sudo ls -ldZ /etc/{passwd,group,shadow,gshadow} ; echo -- ; rpm -q -f /etc/{passwd,group,shadow,gshadow} /usr/bin/sg /lib/libcrypt.so.1 /lib/libc.so.6 Fedora release 10 (Cambridge) [sudo] password for wbaker: --------------- /etc/passwd --------------- /etc/group --------------- /etc/shadow --------------- /etc/gshadow -- -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group -r-------- root root system_u:object_r:shadow_t:s0 /etc/gshadow -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd -r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow -- setup-2.7.4-4.fc10.noarch setup-2.7.4-4.fc10.noarch setup-2.7.4-4.fc10.noarch setup-2.7.4-4.fc10.noarch shadow-utils-4.1.2-9.fc10.i386 glibc-2.9-3.i686 glibc-2.9-3.i686 $ rpm -q -a | grep selinux | sort libselinux-2.0.78-1.fc10.i386 libselinux-devel-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 libselinux-ruby-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 selinux-policy-3.5.13-74.fc10.noarch selinux-policy-doc-3.5.13-74.fc10.noarch selinux-policy-minimum-3.5.13-74.fc10.noarch selinux-policy-mls-3.5.13-74.fc10.noarch $ ls -ldZ /usr/bin/passwd /usr/bin/gpasswd /usr/bin/{newgrp,sg} /bin/su -rwsr-xr-x root root system_u:object_r:su_exec_t:s0 /bin/su -rwsr-xr-x root root system_u:object_r:groupadd_exec_t:s0 /usr/bin/gpasswd -rwsr-xr-x root root system_u:object_r:bin_t:s0 /usr/bin/newgrp -rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/sg -> newgrp $ ls -ldZ /etc/{passwd,shadow,group,gshadow} -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group -r-------- root root system_u:object_r:shadow_t:s0 /etc/gshadow -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd -r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow fails on Fedora 11, 13, 14 (I don't have a F12 install). Focusing on F14 fails on Fedora 14 $ cat /etc/fedora-release; sudo lsattr /etc/{passwd,group,shadow,gshadow} ; echo -- ; sudo ls -ldZ /etc/{passwd,group,shadow,gshadow} ; echo -- ; rpm -q -f /etc/{passwd,group,shadow,gshadow} /usr/bin/sg /lib/libcrypt.so.1 /lib/libc.so.6 Fedora release 14 (Laughlin) [sudo] password for wbaker: -------------e- /etc/passwd -------------e- /etc/group -------------e- /etc/shadow -------------e- /etc/gshadow -- -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/group ----------. root root system_u:object_r:shadow_t:s0 /etc/gshadow -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow -- setup-2.8.28-1.fc14.noarch setup-2.8.28-1.fc14.noarch setup-2.8.28-1.fc14.noarch setup-2.8.28-1.fc14.noarch shadow-utils-4.1.4.2-8.fc14.i686 glibc-2.12.90-21.i686 glibc-2.12.90-21.i686 $ rpm -q -a | grep selinux | sort libselinux-2.0.96-6.fc14.1.i686 libselinux-python-2.0.96-6.fc14.1.i686 libselinux-utils-2.0.96-6.fc14.1.i686 selinux-policy-3.9.7-16.fc14.noarch selinux-policy-targeted-3.9.7-16.fc14.noarch $ ls -ldZ /usr/bin/passwd /usr/bin/gpasswd /usr/bin/{newgrp,sg} /bin/su -rwsr-xr-x. root root system_u:object_r:su_exec_t:s0 /bin/su -rwsr-xr-x. root root system_u:object_r:groupadd_exec_t:s0 /usr/bin/gpasswd -rwsr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/newgrp -rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/bin/sg -> newgrp $ ls -ldZ /etc/{passwd,shadow,group,gshadow} -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/group ----------. root root system_u:object_r:shadow_t:s0 /etc/gshadow -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow On the test machine (on Fedora 14) $ sudo cat /var/log/audit/audit.log | audit2why <nothing helpful> not helpful: $ sudo strace -s 200 -f su wbaker -c 'sg roles -c date' ... lots of stuff ... pid 1517] read(4, "root:x:0:root\nbin:x:1:root,bin,daemon\ndaemon:x:2:root,bin,daemon\nsys:x:3:root,bin,adm\nadm:x:4:root,adm,daemon\ntty:x:5:\ndisk:x:6:root\nlp:x:7:daemon,lp\nmem:x:8:\nkmem:x:9:\nwheel:x:10:root\nmail:x:12:mail\n"..., 4096) = 1942 [pid 1517] close(4) = 0 [pid 1517] munmap(0xb7847000, 4096) = 0 [pid 1517] open("/etc/gshadow", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) <----------------- an artifact of strace? [pid 1517] open("/etc/gshadow", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) <----------------- an artifact of strace? [pid 1517] open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) <-------------------- an artifact of strace? [pid 1517] getuid32() = 500 [pid 1517] open("/usr/share/locale/locale.alias", O_RDONLY) = 4 [pid 1517] fstat64(4, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 [pid 1517] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7847000 [pid 1517] read(4, "# Locale name alias data base.\n# Copyright (C) 1996-2001,2003,2007 Free Software Foundation, Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the G"..., 4096) = 2512 [pid 1517] read(4, "", 4096) = 0 [pid 1517] close(4) = 0 [pid 1517] munmap(0xb7847000, 4096) = 0 [pid 1517] open("/usr/share/locale/en_US.utf8/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 1517] open("/usr/share/locale/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 1517] open("/usr/share/locale/en.utf8/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 1517] open("/usr/share/locale/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 1517] open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 ENXIO (No such device or address) [pid 1517] ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 [pid 1517] ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost -isig icanon -echo ...}) = 0 [pid 1517] write(2, "Password: ", 10Password: ) = 10 [pid 1517] fstat64(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 13), ...}) = 0 [pid 1517] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7847000 [pid 1517] read(0, The code seems "the same" between the working and nonworking versions In the source code ... shadow-utils-4.1.4.2/shadow-4.1.4.2/src/newgrp.c cpasswd = pw_encrypt (cp, grp->gr_passwd); strzero (cp); if (grp->gr_passwd[0] == '\0' || strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), "authentication new-gid=%lu", (unsigned long) grp->gr_gid); audit_logger (AUDIT_GRP_AUTH, Prog, audit_buf, NULL, (unsigned int) getuid (), 0); #endif SYSLOG ((LOG_INFO, "Invalid password for group '%s' from '%s'", groupname, pwd->pw_name)); (void) sleep (1); (void) fputs (_("Invalid password.\n"), stderr); goto failure; } shadow-utils-4.1.2/shadow-4.1.2/src/newgrp.c cpasswd = pw_encrypt (cp, grp->gr_passwd); strzero (cp); if (grp->gr_passwd[0] == '\0' || strcmp (cpasswd, grp->gr_passwd) != 0) { #ifdef WITH_AUDIT snprintf (audit_buf, sizeof(audit_buf), "authentication new-gid=%d", grp->gr_gid); audit_logger (AUDIT_GRP_AUTH, Prog, audit_buf, NULL, getuid (), 0); #endif SYSLOG ((LOG_INFO, "Invalid password for group `%s' from `%s'", groupname, pwd->pw_name)); sleep (1); fputs (_("Invalid password.\n"), stderr); goto failure; }
This is not working for me in permissive mode on F15, not sure this is related to SELinux.
Actually it is not related to SELinux at all. It is caused by completely broken getsgent code in shadow-utils lib. Also it incorrectly uses this code although glibc contains fine implementation of all the required gshadow utilities because shadow-utils code incorrectly expects them in shadow.h when they are in gshadow.h. So as a fix although the broken getsgent in the shadow utils should be eventually fixed, I propose to fix the build process of shadow-utils to use functions from glibc.
Created attachment 471715 [details] Patch making shadow utils to use gshadow functions from glibc
Created attachment 471882 [details] another fix this patch is fixing gshadow functions from shadow-utils
(In reply to comment #4) > Created attachment 471882 [details] > another fix > > this patch is fixing gshadow functions from shadow-utils There is a bug in the patch.
Created attachment 471891 [details] merge of both patches
shadow-utils-4.1.4.2-9.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/shadow-utils-4.1.4.2-9.fc14
shadow-utils-4.1.4.2-9.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update shadow-utils'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/shadow-utils-4.1.4.2-9.fc14
shadow-utils-4.1.4.2-9.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.