[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150109212451.GG27996@mail.thefacebook.com>
Date: Fri, 9 Jan 2015 13:24:51 -0800
From: Calvin Owens <calvinowens@...com>
To: Paul Moore <paul@...l-moore.com>
CC: Eric Paris <eparis@...hat.com>, <rgb@...hat.com>,
<ebiederm@...ssion.com>, <linux-kernel@...r.kernel.org>,
<kernel-team@...com>, <stable@...r.kernel.org>,
<linux-audit@...hat.com>
Subject: Re: [PATCH][RESEND 2] Revert "AUDIT: Allow login in non-init
namespaces"
On Friday 01/09 at 15:33 -0500, Paul Moore wrote:
> On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote:
> > This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
> >
> > This commit incorrectly assumes that libpam treats -ECONNREFUSED as
> > an indicator that audit is disabled, and -EPERM or any other error
> > as a fatal error that prevents the login from continuing.
> >
> > The opposite is in fact true: -EPERM allows the login to continue,
> > and -ECONNREFUSED causes it to refuse the login. This behavior has
> > been unchanged in upstream linux-pam since at least 2008.
> >
> > Reverting this change allows libpam to again work as expected in
> > non-init user namespaces.
> >
> > Signed-off-by: Calvin Owens <calvinowens@...com>
> > Cc: stable@...r.kernel.org
> > ---
> > Relevant code in linux-pam:
> > https://urldefense.proofpoint.com/v1/url?u=https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c%23n56&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=oEb120Cp%2FehdhuY2M7qjelK5yT8IPB5WC2nEG4obDh4%3D%0A&m=vyJMOR0vSvoBryKRT8mBRsUpUQElUD3Fa4ZBI5Vaf%2BA%3D%0A&s=4f34b8ee3ea296b034ab84da1d7f0b738cd431081878afd6f85203507a722ebe
> >
> > kernel/audit.c | 12 +-----------
> > 1 file changed, 1 insertion(+), 11 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 80983df..656e8ce 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type) int err = 0;
> >
> > /* Only support initial user namespace for now. */
> > - /*
> > - * We return ECONNREFUSED because it tricks userspace into thinking
> > - * that audit was not configured into the kernel. Lots of users
> > - * configure their PAM stack (because that's what the distro does)
> > - * to reject login if unable to send messages to audit. If we return
> > - * ECONNREFUSED the PAM stack thinks the kernel does not have audit
> > - * configured in and will let login proceed. If we return EPERM
> > - * userspace will reject all logins. This should be removed when we
> > - * support non init namespaces!!
> > - */
> > if (current_user_ns() != &init_user_ns)
> > - return -ECONNREFUSED;
> > + return -EPERM;
>
> While I haven't had reason to test this code lately, last I knew it was
> working, what problems are you seeing Calvin? Also, with what distribution?
An SSH authentication setup in LXC containers on CentOS broke with the
original patch. My revert made it work again. I can dig up more detail
about the specific setup if you're interested.
Thanks,
Calvin
> --
> paul moore
> www.paul-moore.com
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists