Bug 819648 - Need policy extensions for pwauth and mod_authnz_external
Need policy extensions for pwauth and mod_authnz_external
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-07 16:40 EDT by Philip Prindeville
Modified: 2013-02-13 13:55 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 13:55:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Philip Prindeville 2012-05-07 16:40:56 EDT
Description of problem:

mod_authnz_external has the ability to invoke external programs for verification, such as pwauth or perl wrappers for sql, etc.

pwauth in turn is a setuid(root) program that reads /etc/shadow.

Both have obvious security implications, and may require SELinux policy rules.

Version-Release number of selected component (if applicable):

3.7.19-136

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2012-05-07 16:49:20 EDT
Does pwauth use /usr/sbin/unix_chkpwd?
Comment 2 Philip Prindeville 2012-05-07 16:57:15 EDT
(In reply to comment #1)
> Does pwauth use /usr/sbin/unix_chkpwd?

No. It can't. apache would have to setuid as the user first, which is unacceptable.

pwauth reads 2 lines from stdin: a username, newline, and a cleartext password, newline.

I suppose it could setuid as the user and then invoke unix_chkpwd, but that would add extra steps and complexity for no obvious gain.
Comment 3 Daniel Walsh 2012-05-08 10:16:53 EDT
Any reason this is not using something like saslauthd?
Comment 4 Daniel Walsh 2012-05-08 10:33:00 EDT
I just added pwauth policy for F17.
Comment 5 Philip Prindeville 2012-05-08 13:12:42 EDT
(In reply to comment #3)
> Any reason this is not using something like saslauthd?

You mean writing a wrapper for sasl_checkpass() and calling that?  One could.

I'm not sure what it would gain you. Also, the nice thing about pwauth on Linux is it's a wrapper for PAM, so whatever your backend authentication method is (shadow, LDAP, nis+, etc) it shims into easily.
Comment 6 Philip Prindeville 2012-05-08 13:13:17 EDT
(In reply to comment #4)
> I just added pwauth policy for F17.

Can you please add f16 and el6?
Comment 7 Daniel Walsh 2012-05-08 13:21:22 EDT
Sure but first I need someone to test it since all I did was try to run it from unconfined_t on F17.
Comment 8 Nalin Dahyabhai 2012-05-08 13:48:28 EDT
(In reply to comment #5)
> (In reply to comment #3)
> > Any reason this is not using something like saslauthd?
> 
> You mean writing a wrapper for sasl_checkpass() and calling that?  One could.
> 
> I'm not sure what it would gain you. Also, the nice thing about pwauth on Linux
> is it's a wrapper for PAM, so whatever your backend authentication method is
> (shadow, LDAP, nis+, etc) it shims into easily.

The default configuration for saslauthd (at least, as packaged in Fedora) is also to use PAM.
Comment 9 Philip Prindeville 2012-05-08 14:00:35 EDT
(In reply to comment #7)
> Sure but first I need someone to test it since all I did was try to run it from
> unconfined_t on F17.

I can test EL6 easily. F16 will require a little more work.
Comment 10 Philip Prindeville 2012-05-08 14:01:26 EDT
(In reply to comment #8)
> (In reply to comment #5)
> > (In reply to comment #3)
> > > Any reason this is not using something like saslauthd?
> > 
> > You mean writing a wrapper for sasl_checkpass() and calling that?  One could.
> > 
> > I'm not sure what it would gain you. Also, the nice thing about pwauth on Linux
> > is it's a wrapper for PAM, so whatever your backend authentication method is
> > (shadow, LDAP, nis+, etc) it shims into easily.
> 
> The default configuration for saslauthd (at least, as packaged in Fedora) is
> also to use PAM.

Then I'm not sure what going through saslauthd would add.
Comment 11 Daniel Walsh 2012-05-08 15:18:31 EDT
Well I believe saslauthd is a pipe that you talk to rather then a setuid application.  saslauthd is already supported.
Comment 12 Fedora End Of Life 2013-01-16 10:45:36 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Fedora End Of Life 2013-02-13 13:55:35 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.