Steve Grubb wrote:
Do not work with shadow directly from a web server. The most trusted of all
databases cannot be made readable/writable to an external facing, potentially
compromised daemon. Apache trying to write to shadow would be indicative of
an Intrusion attempt.
I am not trying to work with shadow directly from a web server. I was
experimenting with configuring things to get mod_auth_shadow to work.
This module talks to an suid root program that reads the shadow file and
returns whether an user can be authorized. With SELinux in enforcing
mode, the suid root program is denied read access to the shadow file.
2) An rpm that attempts to add a user in a pre/post install script fails
to add the user. useradd is denied write access to /etc/shadow.
Is the rpm command being run from apache?
No. By hand from a terminal. I suspect the problem has something to do
with no transition from the domain rpm is running in to one that allows
access to the shadow file when the context is set public_content_t. Not
sure though, my understanding of this is quite hazy.
3) I get a lot of the following SELinux alerts:
SELinux is preventing /sbin/unix_update (updpwd_t) "read" to shadow
(public_content_t).
Yep. restorecon /etc/shadow will fix that.
Sure. But then mod_auth_shadow doesn't work.
Do I have to set the file context of /etc/shadow to public_content_rw_t,
and set a boolean to allow anonymous writes? There doesn't seem to be
any such boolean for rpm.
What exactly were you trying to do?
The goal is to make mod_auth_shadow work in a secure fashion with
SELinux in enforcing mode. I basically tried the above and can get
mod_auth_shadow to work. The problem is I think the solution is
insecure but my knowledge of SELinux is not sufficient to pinpoint
exactly why it is insecure. So I asked.
The solution to achieve the results I want is probably a more
sophisticated policy, or possibly a modified helper program.
If anyone has suggestions I'd be interested in hearing them.
Scott
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
