Debian Bug report logs - #451722
libpam-modules: selinux module does not properly set shell security context properly

version graph

Package: libpam-modules; Maintainer for libpam-modules is Steve Langasek <vorlon@debian.org>; Source for libpam-modules is src:pam.

Reported by: Philip Tricca <phil@noggle.biz>

Date: Sat, 17 Nov 2007 23:36:01 UTC

Severity: normal

Tags: fixed-upstream, upstream

Found in version pam/0.99.7.1-5

Fixed in version pam/1.0.1-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#451722; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Philip Tricca <phil@noggle.biz>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Philip Tricca <phil@noggle.biz>
To: submit@bugs.debian.org
Subject: libpam-modules: selinux module does not properly set shell security context properly
Date: Sat, 17 Nov 2007 18:35:37 -0500
Package: libpam-modules
Version: 0.99.7.1-5
Severity: wishlist

After updating the policy login mapping using semanage the selinux pam
module does not properly set the security context for the login shell
(refpolicy strict).  This problem has been resolved in the latest
up-stream selinux module (version 0.99.9.0).  A work around in use
currently requires compiling libpam_selinux.so from the 0.99.9.0 sources
and replacing the library in /lib/security/

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-modules depends on:
ii  libc6                        2.6.1-1+b1  GNU C Library: Shared libraries
ii  libdb4.6                     4.6.19-1    Berkeley v4.6 Database
Libraries [
ii  libpam0g                     0.99.7.1-5  Pluggable Authentication
Modules l
ii  libselinux1                  2.0.15-2+b1 SELinux shared libraries

libpam-modules recommends no packages.

-- no debconf information





Tags added: fixed-upstream, upstream Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2007 01:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#451722; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Václav Ovsík <vaclav.ovsik@i.cz>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #12 received at 451722@bugs.debian.org (full text, mbox):

From: Václav Ovsík <vaclav.ovsik@i.cz>
To: 451722@bugs.debian.org
Subject: pam 0.99.9.0 debian package
Date: Wed, 13 Feb 2008 18:34:58 +0100
Hi,
I think, that severity of this bug should be changed up.
Experimenting with the SELinux will be much harder without the proper
PAM.

There is an unofficial pam Debian package 0.99.9.0:
http://linux.i.cz/debian/pool/main/p/pam/pam_0.99.9.0-1~icz+1.dsc
It is part of my experimental selinux repository
deb http://linux.i.cz/debian selinux-sid main

One possibility is the backport of pam_selinux module, other is to
upgrade whole PAM. I think, that from long run view, the better is to
upgrade PAM.

The PAM 0.99.9.0 on the above URL can be starting point. Review is
needed of course. I was playing with quilt hard :). Many patches was
already upstream, this can be taken as done. The harder was the rest
patches. Most patches match with some offset, something needed a bit
change.

I will be very happy, if the new PAM fits into Lenny.

Kindly Regards
-- 
Zito




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#451722; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #17 received at 451722@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: control@bugs.debian.org, 451722@bugs.debian.org
Subject: Please upload a fixed PAM
Date: Fri, 21 Mar 2008 04:49:55 -0500
severity 451722 normal
thanks

Hi,

        The bug prevents testing security policy, and getting a working
 Debian security machine. Please upload a fixed PAM, so we can get more
 Debian specific policy fixes in place before things freeze for  lenny.

        manoj
-- 
It doesn't matter what you do, it only matters what you say you've done
and what you're going to do.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Severity set to `normal' from `wishlist' Request was from Manoj Srivastava <srivasta@debian.org> to control@bugs.debian.org. (Fri, 21 Mar 2008 10:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#451722; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Uwe Hermann <uwe@hermann-uwe.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. Full text and rfc822 format available.

Message #24 received at 451722@bugs.debian.org (full text, mbox):

From: Uwe Hermann <uwe@hermann-uwe.de>
To: Manoj Srivastava <srivasta@debian.org>, Václav Ovsík <vaclav.ovsik@i.cz>, Philip Tricca <phil@noggle.biz>, Steve Langasek <vorlon@debian.org>
Cc: 451722@bugs.debian.org
Subject: Re: Please upload a fixed PAM
Date: Mon, 12 May 2008 19:00:00 +0200
Hi,

On Fri, Mar 21, 2008 at 04:49:55AM -0500, Manoj Srivastava wrote:
> Hi,
> 
>         The bug prevents testing security policy, and getting a working
>  Debian security machine. Please upload a fixed PAM, so we can get more
>  Debian specific policy fixes in place before things freeze for  lenny.
> 
>         manoj

Any news on this issue/bug (#451722)? I'm seeing the same problem on a recent
unstable installation which prevents most SELinux usage.

The issue is fixed in later upstream releases (either 0.99.10 or 1.0.0)
and there's also a backported patch in ubuntu which could be used in the
Debian package if upgrading to a higher upstream version is a problem.

http://patches.ubuntu.com/p/pam/pam_0.99.7.1-5ubuntu6.patch


Thanks, Uwe.
-- 
http://www.hermann-uwe.de  | http://www.holsham-traders.de
http://www.crazy-hacks.org | http://www.unmaintained-free-software.org




Tags added: pending Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Wed, 23 Jul 2008 00:18:02 GMT) Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Philip Tricca <phil@noggle.biz>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 451722-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 451722-close@bugs.debian.org
Subject: Bug#451722: fixed in pam 1.0.1-1
Date: Wed, 30 Jul 2008 04:17:03 +0000
Source: pam
Source-Version: 1.0.1-1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_1.0.1-1_amd64.deb
  to pool/main/p/pam/libpam-cracklib_1.0.1-1_amd64.deb
libpam-doc_1.0.1-1_all.deb
  to pool/main/p/pam/libpam-doc_1.0.1-1_all.deb
libpam-modules_1.0.1-1_amd64.deb
  to pool/main/p/pam/libpam-modules_1.0.1-1_amd64.deb
libpam-runtime_1.0.1-1_all.deb
  to pool/main/p/pam/libpam-runtime_1.0.1-1_all.deb
libpam0g-dev_1.0.1-1_amd64.deb
  to pool/main/p/pam/libpam0g-dev_1.0.1-1_amd64.deb
libpam0g_1.0.1-1_amd64.deb
  to pool/main/p/pam/libpam0g_1.0.1-1_amd64.deb
pam_1.0.1-1.diff.gz
  to pool/main/p/pam/pam_1.0.1-1.diff.gz
pam_1.0.1-1.dsc
  to pool/main/p/pam/pam_1.0.1-1.dsc
pam_1.0.1.orig.tar.gz
  to pool/main/p/pam/pam_1.0.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 451722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Jul 2008 13:56:26 -0700
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source all amd64
Version: 1.0.1-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 155583 203222 367834 382987 403718 404836 421010 442049 444427 451722 454237 469635 470137 484249 491821
Changes: 
 pam (1.0.1-1) unstable; urgency=low
 .
   * New upstream version.
     - pam_limits: bound RLIMIT_NICE from below. Closes: #403718.
     - pam_mail: set the MAIL variable even when .hushlogin is set.
       Closes: #421010.
     - new minclass option introduced for pam_cracklib.  Closes: #454237.
     - fix a failure to check the string length when matching usernames in
       pam_group.  Closes: #444427.
     - fix setting shell security context in pam_selinux.  Closes: #451722.
     - use --disable-audit, to avoid libaudit being linked in
       accidentally
     - pam_unix now supports SHA-256 and SHA-512 password hashes.
       Closes: #484249, LP: #245786.
     - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat
       symlink to pam_rhosts to support upgrades for a release, and give a
       warning in NEWS.Debian.
     - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and
       do another round of service restarts on upgrade.
     - pam_unix helper is now called whenever an unprivileged process
       tries and fails to query a user's account status.  Closes: #367834.
   * Drop patches 006_docs_cleanup, 015_hurd_portability,
     019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd,
     043_pam_unix_unknown_user_not_alert, 046_pam_group_example,
     no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch,
     pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and
     065_pam_unix_cracklib_disable which have been merged upstream.
   * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream;
     now is really just "pam_group_miscfixes".
   * Patch 007_modules_pam_unix partially superseded upstream; stripping
     hpux-style expiry information off of password fields is now supported.
   * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all
     our getpwnam() use in pam_unix is thread-safe (fixes an upstream
     regression)
   * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream
     regression which prevents sgid shadow apps from being able to authenticate
     any more because the module forces use of the helper and the helper won't
     allow authentication of arbitrary users.  This change does mean we're
     going to be noisier for the time being in an SELinux environment, which
     should be addressed but is not a regression on Debian.
   * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an
     upstream change that causes unix_chkpwd to assume that setuid(getuid())
     is sufficient to drop permissions and attempt any authentication on
     behalf of the user.
   * The password-changing helper functionality for SELinux systems has been
     split out into a separate unix_update binary, so at long last we can
     change unix_chkpwd to be sgid shadow instead of suid root.
     Closes: #155583.
     - Update the lintian override to match.
   * Install the new unix_update helper into libpam-modules.
   * Use a pristine upstream tarball instead of repacking; requires various
     changes to debian/rules and debhelper files.
   * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn,
     and how!
   * Debconf translations:
     - Romanian, thanks to Igor Stirbu <igor.stirbu@gmail.com>
       (closes: #491821)
   * Add libpam0g.symbols, for finer-grained package dependencies with
     dpkg-gensymbols.
   * Fix debian/copyright to list the known copyright holders
   * Fix up the doc-base sections for the libpam-doc documentation, "Apps"
     should not be part of the section name
   * Also fix up whitespace issues in the doc-base abstracts
   * Fix a typo in the libpam0g-dev description.
   * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also
     invalid for RLIMIT_NOFILE, so when resetting the limits for a new session,
     use the kernel default of 1024 instead.  Closes: #404836.
   * Create /etc/environment on initial install of libpam-modules (or on
     upgrade from an old version), to quell warnings in the logs about it
     being missing.  Closes: #442049.
   * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for
     the NSS source of our user; this was preventing password changes for NIS
     users, which otherwise should have worked.  Closes: #203222, LP: #9224.
   * New patch do_not_check_nis_accidentally: respect the 'nis' option
     (set or unset) when looking up the user's password entry for password
     changes.  Thanks to Quentin Godfroy <godfroy@clipper.ens.fr> for the
     patch.  Closes: #469635.
   * Drop patch 049_pam_unix_sane_locking, which upon review is not needed;
     it reduces the length of time we hold the lock, but at the expense of
     being able to enforce minimum times between password changes.
   * debian/watch: upstream has hit 1.0, so we're no longer in a "pre"
     directory.  Fix up the regex for uscan.
   * Fix the libpam0g-dev examples directory to not include a gratuitous
     .cvsignore file.
   * New patch, pam.d-manpage-section, to fix the manpage references to
     point to section 5 instead of section 8.
   * Update patch PAM-manpage-section to fix the references to pam(7) from
     other manpages.  Closes: #470137.
   * Add debian/README.source documenting that this package uses quilt.
   * Bump Standards-Version to 3.8.0.
   * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks
     to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my
     attention
Checksums-Sha1: 
 b00c2cba90e31d76ea37816cf35561b3ccadca38 1427 pam_1.0.1-1.dsc
 28e0a4646c5ccb76adfc266f37f3ba3a2618d121 1597124 pam_1.0.1.orig.tar.gz
 c6d17f8e72b36a5beaee4a3feacf881515030394 144019 pam_1.0.1-1.diff.gz
 39ad2943dd7427875c31b04382b5ac025008519b 164914 libpam-runtime_1.0.1-1_all.deb
 65713c47db324137128367a3d5dc8d1b733d6025 285868 libpam-doc_1.0.1-1_all.deb
 6f61782d85044bd47485c6a2d9ea4dd2ca7adb24 107508 libpam0g_1.0.1-1_amd64.deb
 79238ba15156c08c9accc7bf363c5ad5058f5d44 298568 libpam-modules_1.0.1-1_amd64.deb
 180c22c005e91bb5e84b9ee0558e7e770aeaac82 162128 libpam0g-dev_1.0.1-1_amd64.deb
 a2f3b53c07c36402cfb6992f01982483db211f3b 64318 libpam-cracklib_1.0.1-1_amd64.deb
Checksums-Sha256: 
 1a21fda99ed677bbc1a96cc8d723b2f3e6c396b64bdcbfba90c133bcaf71d430 1427 pam_1.0.1-1.dsc
 10c503a5c42c5a570f5d2734c5f2996ca7559602701d5fe7fc44aef549c183af 1597124 pam_1.0.1.orig.tar.gz
 05fc2d49f1cf7832d764c7fcb4ab18a57893f26b35f55f772be9408af5e368ce 144019 pam_1.0.1-1.diff.gz
 b50601ac08f4081f319fdebe613003e3105087431034db73d9502d7e5dc1cf1d 164914 libpam-runtime_1.0.1-1_all.deb
 cda345cf4beb9e16d993cb7015aa578aae4653b0b97cef873f62a618f9a60564 285868 libpam-doc_1.0.1-1_all.deb
 5c0b68c19781604b06948edd0991d1b69632a481637bc73f97e4e39d1afb80f7 107508 libpam0g_1.0.1-1_amd64.deb
 9aab2558c85cd6c36f63f37d5b10f4302702f3d6c6ff04a91e01e133a54abf32 298568 libpam-modules_1.0.1-1_amd64.deb
 570afa8221de9ac65262f04e89888961325de30730907ed4b1861e9be77283f8 162128 libpam0g-dev_1.0.1-1_amd64.deb
 6e134cd3ff4fba651602cebca1d536c6193c521605360b4509670e95edceace7 64318 libpam-cracklib_1.0.1-1_amd64.deb
Files: 
 04ad642d85d596162521a4ffd09056e3 1427 libs optional pam_1.0.1-1.dsc
 bcaa5d9bf84137e0d128b2ff9b63b1d7 1597124 libs optional pam_1.0.1.orig.tar.gz
 76f3db9dcffbb8035a5730d176156674 144019 libs optional pam_1.0.1-1.diff.gz
 1cef1607354f804dc1fab832f90009b2 164914 admin required libpam-runtime_1.0.1-1_all.deb
 f56b374c6f5ce979eac4d29cf027be3e 285868 doc optional libpam-doc_1.0.1-1_all.deb
 fa233f51a67969fe14f884abbe1f8520 107508 libs required libpam0g_1.0.1-1_amd64.deb
 644b1b261e3c3ba2508af3b80afc226c 298568 libs required libpam-modules_1.0.1-1_amd64.deb
 a144ddb475ffa7b1ea589003e8ee885b 162128 libdevel optional libpam0g-dev_1.0.1-1_amd64.deb
 dbc7406a794e940c21423c5561efbcaa 64318 libs optional libpam-cracklib_1.0.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIj+kDKN6ufymYLloRAkTcAJ439wbpuxSC4MJ6bxArhGfK2k5qngCggWc3
lcN/vP31rMFDyra/1e11e10=
=yd9G
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Aug 2008 07:28:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 23:19:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.