lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200812061404.EJG35994.MOJOFQFOLFHtVS@I-love.SAKURA.ne.jp>
Date:	Sat, 6 Dec 2008 14:04:07 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:	mtk.manpages@...glemail.com
Subject: MAC and pam_nologin (was Re: man-pages-3.15 is released)

Hello.

The "man 5 nologin" says that:

  If the file /etc/nologin *exists*, login (1) will allow access only to root.
  Other users will be shown the contents of this file and their logins will be
  refused.

But this description becomes inaccurate when MAC (e.g. SELinux) is enabled.

MAC can deny open("/etc/nologin", O_RDONLY) by root user. Thus,

  # ln /etc/shadow /etc/nologin

will create /etc/nologin which is *not readable* by login(1).
As a result, non-root user's logins are permitted while /etc/nologin *exists*.

I guess pam_nologin is using a code like

  fp = fopen("/etc/nologin", "r");
  if (fp)
     /* print the contents of /etc/nologin and reject login request. */

So, I think either one of below modifications is needed.

(1) Change the description of manpage like

  If the file /etc/nologin *is readable*, login (1) will allow access only to
  root. Other users will be shown the contents of this file and their logins
  will be refused.

(2) Change the code of pam_nologin like

  fd = open("/etc/nologin", O_RDONLY);
  if (fd != EOF || errno != ENOENT)
     /* print the contents of /etc/nologin and reject login request. */

Which one is the better solution?

Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ