lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1569326.X07DWxmoQX@sifl>
Date:	Fri, 09 Jan 2015 15:33:56 -0500
From:	Paul Moore <paul@...l-moore.com>
To:	Calvin Owens <calvinowens@...com>, Eric Paris <eparis@...hat.com>
Cc:	rgb@...hat.com, ebiederm@...ssion.com,
	linux-kernel@...r.kernel.org, kernel-team@...com,
	stable@...r.kernel.org, linux-audit@...hat.com
Subject: Re: [PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init namespaces"

On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote:
> This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
> 
> This commit incorrectly assumes that libpam treats -ECONNREFUSED as
> an indicator that audit is disabled, and -EPERM or any other error
> as a fatal error that prevents the login from continuing.
> 
> The opposite is in fact true: -EPERM allows the login to continue,
> and -ECONNREFUSED causes it to refuse the login. This behavior has
> been unchanged in upstream linux-pam since at least 2008.
> 
> Reverting this change allows libpam to again work as expected in
> non-init user namespaces.
> 
> Signed-off-by: Calvin Owens <calvinowens@...com>
> Cc: stable@...r.kernel.org
> ---
> Relevant code in linux-pam:
> https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c#n56
> 
>  kernel/audit.c | 12 +-----------
>  1 file changed, 1 insertion(+), 11 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 80983df..656e8ce 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type) int err = 0;
> 
>  	/* Only support initial user namespace for now. */
> -	/*
> -	 * We return ECONNREFUSED because it tricks userspace into thinking
> -	 * that audit was not configured into the kernel.  Lots of users
> -	 * configure their PAM stack (because that's what the distro does)
> -	 * to reject login if unable to send messages to audit.  If we return
> -	 * ECONNREFUSED the PAM stack thinks the kernel does not have audit
> -	 * configured in and will let login proceed.  If we return EPERM
> -	 * userspace will reject all logins.  This should be removed when we
> -	 * support non init namespaces!!
> -	 */
>  	if (current_user_ns() != &init_user_ns)
> -		return -ECONNREFUSED;
> +		return -EPERM;

While I haven't had reason to test this code lately, last I knew it was 
working, what problems are you seeing Calvin?  Also, with what distribution?

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ