| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Jan 2015 15:33:56 -0500 From: Paul Moore <paul@...l-moore.com> To: Calvin Owens <calvinowens@...com>, Eric Paris <eparis@...hat.com> Cc: rgb@...hat.com, ebiederm@...ssion.com, linux-kernel@...r.kernel.org, kernel-team@...com, stable@...r.kernel.org, linux-audit@...hat.com Subject: Re: [PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init namespaces" On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote: > This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces". > > This commit incorrectly assumes that libpam treats -ECONNREFUSED as > an indicator that audit is disabled, and -EPERM or any other error > as a fatal error that prevents the login from continuing. > > The opposite is in fact true: -EPERM allows the login to continue, > and -ECONNREFUSED causes it to refuse the login. This behavior has > been unchanged in upstream linux-pam since at least 2008. > > Reverting this change allows libpam to again work as expected in > non-init user namespaces. > > Signed-off-by: Calvin Owens <calvinowens@...com> > Cc: stable@...r.kernel.org > --- > Relevant code in linux-pam: > https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c#n56 > > kernel/audit.c | 12 +----------- > 1 file changed, 1 insertion(+), 11 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 80983df..656e8ce 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 > msg_type) int err = 0; > > /* Only support initial user namespace for now. */ > - /* > - * We return ECONNREFUSED because it tricks userspace into thinking > - * that audit was not configured into the kernel. Lots of users > - * configure their PAM stack (because that's what the distro does) > - * to reject login if unable to send messages to audit. If we return > - * ECONNREFUSED the PAM stack thinks the kernel does not have audit > - * configured in and will let login proceed. If we return EPERM > - * userspace will reject all logins. This should be removed when we > - * support non init namespaces!! > - */ > if (current_user_ns() != &init_user_ns) > - return -ECONNREFUSED; > + return -EPERM; While I haven't had reason to test this code lately, last I knew it was working, what problems are you seeing Calvin? Also, with what distribution? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists