lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 25 Mar 2014 23:02:20 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Andre Tomt <andre@...t.net>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	containers@...ts.linux-foundation.org
Subject: Re: Linux 3.14-rc8 (LXC broken)

On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
> *testing hat on*
> 
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
> 
> This is due to a change in return value to user space; and is
> appearantly a known issue as evident in this earlier post from february:
> https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html
> 
> Judging from the post it seems they want to ship 3.14 with this IMO
> quite serious regression? What is the namespace/container folks take on
> this?

Fair question.

Pam only worked in non-initial pid (or user) namespace if it was also in
the non-initial network namespace.  We added support for the network
namespace in 3.14.  So now PAM in the non-initial network namespace
functions the same as it would in the inital network namespace.  aka, it
fails.  This is actually what the audit userspace people think is the
right thing to happen.  You configured PAM to fail if it couldn't do the
right audit things, and it's failing.  Needing audit=0 is not new.

BUT given we broke (already broken [remember you configured PAM to fail
if audit didn't go well and it let you log in anyway?  aka broken?])
functionality adding network namespace support I'll send a request to
Linus tomorrow to rip out our network namespace support and I'll re-add
in 3.15 when we add pid (and partial user) namespace support.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ