Debian Bug report logs - #248310
libpam: problem found by running selinux (file handle not closed)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpam: problem found by running selinux (file handle not closed)

Date: Mon, 10 May 2004 13:15:53 +0000

Package: libpam-runtime
Version: 0.76-15
Severity: normal
File: libpam


the following URL describes the issue:

https://listman.redhat.com/archives/fedora-selinux-list/2004-April/msg00318.html

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.5-1-686 #1 Sat Apr 24 08:47:10 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

-- debconf information excluded

Message #10 received at 248310@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

Cc: 248310@bugs.debian.org

Subject: Re: Bug#248310: libpam: problem found by running selinux (file handle not closed)

Date: Mon, 10 May 2004 14:08:03 -0400

If you can't be bothered to copy in a description of the problem, I
can't be bothered to fix it.

Message #15 received at 248310@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: Sam Hartman <hartmans@debian.org>

Cc: 248310@bugs.debian.org

Subject: Re: Bug#248310: libpam: problem found by running selinux (file handle not closed)

Date: Mon, 10 May 2004 21:35:54 +0000

On Mon, May 10, 2004 at 02:08:03PM -0400, Sam Hartman wrote:
> If you can't be bothered to copy in a description of the problem, I
> can't be bothered to fix it.
 
 what's with the attitude?  you're only encouraging me to get pissed
 at you.

 
 do you have a web browser, or do you take affront at people who wish
 to save time and space?

 for your convenience - sir - here's a copy of the email which you
 are perfectly capable of, if you could be bothered, obtaining for
 yourself.

 is that okay with you?

 just in case you can't be bothered to read it even though you insist
 that i go to the trouble of cut-and-paste what you can easily view for
 yourself, the bit that i should draw your attention to is the paragraph
 that says "this looks like a bug in pam, that file handle should
 have been closed before the execution of unix_verify".


 i trust that this is sufficient information for you to make an
 investigation into this bug, yes?

 or do i have to hold your hand whilst you do that?



On Mon, 26 Apr 2004 20:05, Krzysztof Mazurczyk <kmazurczyk wskiz poznan
pl> 
wrote:
> > > I have started playing with new SE Linux. I have it already
> > > running.
> > > BTW minor question: There are messages in log that
> > > /sbin/unix_verify
> > > is denied to do something. System is seemed to work well. Because
> > > /sbin/unix_verify is from libpam-modules I'm not sure what to do -
> > > ignore or add some rules to policy for /sbin/unix_verify.
> >
> > What access is denied?
>
> avc:  denied  { getattr } for  pid=1768 exe=/sbin/unix_verify
> path=/proc/1768/mounts dev= ino=115867664 scontext=system_u:system_r:
> system_chkpwd_t tcontext=system_u:system_r:system_chkpwd_t tclass=file

Allow this.  The main policy will be changed to allow this.

> avc:  denied  { use } for  pid=3608 exe=/sbin/unix_verify
> path=/dev/null
> dev=sda2 ino=2021 scontext=system_u:system_r:system_chkpwd_t tcontext=
> system_u:system_r:system_crond_t tclass=fd

This looks like a bug in the policy, it should have been allowed.
Please file 
a bug on bugzilla.

> avc:  denied  { read write } for  pid=1795 exe=/sbin/unix_verify
> path=/dev/tty1 dev=sda2 ino=2845 scontext=system_u:system_r:
> system_chkpwd_t tcontext=root:object_r:sysadm_tty_device_t tclass=
> chr_file

This looks like a bug in pam, that file handle should have been closed
before 
the execution of unix_verify.

> avc:  denied  { search } for  pid=1795 exe=/sbin/unix_verify name=run
> dev=sda5 ino=31172 scontext=system_u:system_r:system_chkpwd_t
> tcontext=system_u:object_r:var_run_t tclass=dir

We should have a dontaudit for that.

> > The following is the start of what is needed for a first cut at it.
> > Try
> > it and let me know how it goes.
> > domain_auto_trans(initrc_t, uml_exec_t, sysadm_uml_t)
>
> Yes, I have found it. But then I've got 'security-compute-sid: invalid
> context system_u:system_r:sysadm_uml_t for scontext=system_u:system_r:
> initrc_t tcontext=system_u:object_r:uml_exec_t tclass=process'.
> Googling
> hasn't told me what to do.

In this case:
role system_r types sysadm_uml_t;

But long-term I think that the right thing to do is to make some changes
to 
the UML policy to cover this and related issues.

Message #20 received at 248310@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

Cc: 248310@bugs.debian.org

Subject: Re: Bug#248310: libpam: problem found by running selinux (file handle not closed)

Date: Sun, 30 May 2004 17:03:04 -0400

>>>>> "Luke" == Luke Kenneth Casson Leighton <lkcl@lkcl.net> writes:

    Luke> On Mon, May 10, 2004 at 02:08:03PM -0400, Sam Hartman wrote:
    >> If you can't be bothered to copy in a description of the
    >> problem, I can't be bothered to fix it.
 
    Luke>  what's with the attitude?  you're only encouraging me to
    Luke> get pissed at you.

Sorry you feel that way.  But I get a fair bit of mail and it is
important for me that I be able to determine the importance and
correctness of bug reports without unnecessary time spent on my part.
You'll get much better response time if you include the appropriate
information.




    Luke>  do you have a web browser, or do you take affront at people
    Luke> who wish to save time and space?
Yes, although not running when I received your mail.  Perhaps more
importantly, I didn't have a web at the time.  Sadly my Internet
connection does not support me downloading the entire set of
http-accessable documents for offline reading while traveling.

And I do take affront at people who wish to save *their* time when
asking *me* to do something for them.

    Luke>  for your convenience - sir - here's a copy of the email
    Luke> which you are perfectly capable of, if you could be
    Luke> bothered, obtaining for yourself.

OK, so I'm a bit confused.  IT sounds like a tty (presumably stdin or
stdout) is being left open when unix_verify is run.  Why is this a
problem?  Why should I add code (and thus complexity) to change the
behavior of pam?  This is a serious question: I honestly don't see why
what PAM is doing is a bug.

Message #25 received at 248310@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: Sam Hartman <hartmans@debian.org>

Cc: 248310@bugs.debian.org

Subject: Re: Bug#248310: libpam: problem found by running selinux (file handle not closed)

Date: Sun, 30 May 2004 21:31:25 +0000

On Sun, May 30, 2004 at 05:03:04PM -0400, Sam Hartman wrote:
> >>>>> "Luke" == Luke Kenneth Casson Leighton <lkcl@lkcl.net> writes:
> 
>     Luke> On Mon, May 10, 2004 at 02:08:03PM -0400, Sam Hartman wrote:
>     >> If you can't be bothered to copy in a description of the
>     >> problem, I can't be bothered to fix it.
>  
>     Luke>  what's with the attitude?  you're only encouraging me to
>     Luke> get pissed at you.
> 
> Sorry you feel that way.  But I get a fair bit of mail and it is
> important for me that I be able to determine the importance and
> correctness of bug reports without unnecessary time spent on my part.

 i would have responded much much better to an even shorter 
 "please provide more info" message, as there is no negative implied.

 i _frequently_ forget to provide herbert (who does kernel image)
 with sufficient information, and he is _always_ patient, brief
 and to the point.  e.g. "please provide dmesg output" or some-such.

 

> You'll get much better response time if you include the appropriate
> information.
 
 i appreciate that.
 
 i'm sorry, i sometimes get totally disproportionately wild
 at certain kinds of comments: call it repressed anger, or
 something, and the brakes are off.

 anyway, please try to forget it, let's start again?

>     Luke>  for your convenience - sir - here's a copy of the email
>     Luke> which you are perfectly capable of, if you could be
>     Luke> bothered, obtaining for yourself.
> 
> OK, so I'm a bit confused.  IT sounds like a tty (presumably stdin or
> stdout) is being left open when unix_verify is run.  Why is this a
> problem?  

> Why should I add code (and thus complexity) to change the
> behavior of pam?  This is a serious question: I honestly don't see why
> what PAM is doing is a bug.
 
 it's a security issue: an open file handle is being passed over to
 an exec'd child process that has no right to it, and should not have
 been passed it.

 i don't pretend to know the exact details, and will solicit more info
 from russell, who noticed the issue initially.

 l.

Message #30 received at 248310@bugs.debian.org (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>

To: SE-Linux <selinux@tycho.nsa.gov>, 248310@bugs.debian.org

Cc: Russell Coker <russell@coker.com.au>

Subject: pam /sbin/unix_verify file handle not being closed

Date: Sun, 30 May 2004 21:35:26 +0000

russell, hi,

a couple of months ago you responded to someone who had noticed
that /sbin/unix_verify was throwing up some strange audit messages.

	http://listman.redhat.com/archives/fedora-selinux-list/2004-April/msg00318.html

the debian maintainer for pam has responded, and is puzzled by the
issue / necessity for closing a file handle that isn't used (or
whatever).

[ for that matter, so is the openssh developer puzzled by the
  fdset close-on-exec patch made to openssh especially as it's
  a file handle that is normally opened on /dev/null or dup'd
  to std{in,out,err} or something, but hey :) ]

any clues?

l.

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />

Message #37 received at 248310-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 248310-close@bugs.debian.org

Subject: Bug#248310: fixed in pam 0.79-1

Date: Mon, 26 Sep 2005 20:47:07 -0700

Source: pam
Source-Version: 0.79-1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.79-1_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.79-1_i386.deb
libpam-doc_0.79-1_all.deb
  to pool/main/p/pam/libpam-doc_0.79-1_all.deb
libpam-modules_0.79-1_i386.deb
  to pool/main/p/pam/libpam-modules_0.79-1_i386.deb
libpam-runtime_0.79-1_all.deb
  to pool/main/p/pam/libpam-runtime_0.79-1_all.deb
libpam0g-dev_0.79-1_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.79-1_i386.deb
libpam0g_0.79-1_i386.deb
  to pool/main/p/pam/libpam0g_0.79-1_i386.deb
pam_0.79-1.diff.gz
  to pool/main/p/pam/pam_0.79-1.diff.gz
pam_0.79-1.dsc
  to pool/main/p/pam/pam_0.79-1.dsc
pam_0.79.orig.tar.gz
  to pool/main/p/pam/pam_0.79.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 248310@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 25 Sep 2005 22:08:20 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source i386 all
Version: 0.79-1
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support.
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 248310 249499 284954 295296 300775 319026 323982 327876 330097
Changes: 
 pam (0.79-1) unstable; urgency=low
 .
   * New upstream version (closes: #284954, #300775).
     - includes some fixes for typos (closes: #319026).
     - pam_unix should now be LSB 3.0-compliant (closes: #323982).
     - fixes segfaults in libpam on config file syntax errors
       (closes: #330097).
   * Drop patches 000_bootstrap, 004_libpam_makefile_static_works,
     011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes,
     025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set,
     033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE,
     035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required,
     041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors,
     051_32_bit_pam_lastlog_ll_time, and
     053_pam_unix_user_known_returns_user_unknown which have been
     integrated upstream.
   * Merge one last bit of patch 053 into patch 043, where it should have
     been in the first place
   * Patch 057: SELinux support:
     - add support to pam_unix for copying SELinux security contexts when
       writing out new passwd/shadow files and creating lockfiles
     - support calling unix_chkpwd if opening /etc/shadow fails due to
       SELinux permissions
     - allow unix_chkpwd to authenticate for any user when in an SELinux
       context (hurray!); we depend on SELinux policies to prevent the
       helper's use as a brute force tool
     - also support querying user expiration info via unix_chkpwd
     - misc cleanup: clean up file descriptors when invoking unix_chkpwd
       (closes: #248310)
     - make pam_rootok check the SELinux passwd class permissions, not just
       the uid
     - add new pam_selinux module (closes: #249499)
   * Build-depend on libselinux1-dev.
   * Fix pam_getenv, so that it can read the actual format of /etc/environment
     instead of trying to read it using the syntax of
     /etc/security/pam_env.conf; thanks to Colin Watson for the patch.
     Closes: #327876.
   * Set LC_COLLATE=C when using alphabetic range expressions in
     debian/rules; bah, so *that's* what kept happening to my README file
     when trying to build out of svn!  Closes: #295296.
   * Add a reference to the text of the GPL to debian/copyright.
Files: 
 b538a52de86f4ec392e47e916de5da26 935 base optional pam_0.79-1.dsc
 e33cc6e6fd86b01d0a44ec3232a2fb74 491964 base optional pam_0.79.orig.tar.gz
 76b7ed9a2ce75c3b98a5c08d07d53e95 127029 base optional pam_0.79-1.diff.gz
 712ee3ba2994dcde53cfc1a1d902822c 62900 base required libpam-runtime_0.79-1_all.deb
 9f6225763560fba7b5160a71077a6389 674712 doc optional libpam-doc_0.79-1_all.deb
 97b75dfca8ecaf2643107673df7bee46 77758 base required libpam0g_0.79-1_i386.deb
 f8d043742dacff0b1da3fdc45e7d83cb 181676 base required libpam-modules_0.79-1_i386.deb
 ecbf56a7bb3930a2eff53573595d1558 115480 libdevel optional libpam0g-dev_0.79-1_i386.deb
 0aa8356c9bbd004a0294e9a3f6cb0f38 57820 libs optional libpam-cracklib_0.79-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOIxvKN6ufymYLloRAk5PAJ4pIunm/TewJai4u7AJxIdWyQFGtgCeMTdc
1Ewv31KV3kxWGlHBPzSxX+g=
=QPW8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.