| View previous topic :: View next topic |
| Author |
Message |
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
 Posted: Mon Jul 12, 2021 7:16 pm Post subject: openrc+selinux: run_init asking for login user password |
 |
|
I'm using selinux with openrc (stable) and with the last system update I encountered a curios issue I'm not sure if it's a bug or an error from my end:
Prior to the update today starting/stopping/quering a deamon was asking for the root password, like e.g. here:
| Code: | smaug ~ # rc-service postfix status
Authenticating root.
Password:
* postfix/postfix-script: the Postfix mail system is running: PID: 4362 [ ok ] |
Now after the update today I'm asked to provide the login user password: | Code: | smaug /etc/portage/patches/sys-apps/openrc # rc-service postfix status
Authenticating alex.
Password:
* Authentication failed for alex |
The user alex is the username I'm using to connect to the system via ssh prior to switching to root with "sudo -s". But this user has no valid password and uses ssh keys to login and therefore I could no longer restart any deamon after the update.
I can of course enable "pam_rootok.so" in "/etc/pam.d/run_init" to bypass the password prompt (used that as a workaround) but the next question was why the behaviour changed and how to get run_init to ask me again for the root password...
Now the relevant change of the update today was just that sys-apps/openrc got rebuild with the additional flag "audit" set automatically. (Don't understand why that was only set today and not e.g. for the last update roughly two weeks ago but I also don't care about that here.)
And with the "audit" useflag the following code in "src/rc/rc-selinux.c" from sys-apps/openrc switched from asking for the current user (root) password to the login user (alex) password:
| Code: | /* Authenticates the user, returns 0 on success, 1 on fail */
static int check_auth()
{
struct passwd *pw;
uid_t uid;
#ifdef HAVE_AUDIT
uid = audit_getloginuid();
if (uid == (uid_t) -1)
uid = getuid();
#else
uid = getuid();
#endif
pw = getpwuid(uid);
if (!pw) {
eerror("cannot find your entry in the passwd file.");
return (-1);
}
printf("Authenticating %s.\n", pw->pw_name);
|
Now the question I have is, why run_init from openrc uses "audit_getloginuid()" when the audit flag is set. Is this a bug or just a feature I do not understand?
Using the login UID is of course returning the user I used for the initial ssh login to the system. But when I switch the user to root I would expect to "be" root.
(And using e.g. "sudo su -" instead of sudo -s has the same problem, btw.)
And id claims I'm "fully" root: | Code: | smaug ~ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) context=staff_u:sysadm_r:sysadm_t |
Has someone here an idea why "src/rc/rc-selinux.c" has code to not ask for the current user password but for the login user password when we have audit enabled?
Without any way to tell it that it still should ask for the root password instead...
edit:
This is not a label issue, switching selinux to permissive has no effect. |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21631
|
| Posted: Tue Jul 13, 2021 2:03 am Post subject: Re: openrc+selinux: run_init asking for login user password |
|
|
| deagol wrote: | | Now the relevant change of the update today was just that sys-apps/openrc got rebuild with the additional flag "audit" set automatically. (Don't understand why that was only set today and not e.g. for the last update roughly two weeks ago but I also don't care about that here.) |
The ebuild does not currently have it marked as default-enabled. Either you picked it up from your Gentoo-managed profile, or you enabled it locally. | deagol wrote: | | Now the question I have is, why run_init from openrc uses "audit_getloginuid()" when the audit flag is set. Is this a bug or just a feature I do not understand? |
sys-apps/openrc passes MKAUDIT=$(usex audit) to emake. This will cause the parameters to Make to change depending on whether you have USE=audit or USE=-audit. In mk/os-Linux.mk, we see: | Code: | ifeq (${MKAUDIT},yes)
LIBAUDIT?= -laudit
CPPFLAGS+= -DHAVE_AUDIT
LDADD+= ${LIBAUDIT}
endif |
MKAUDIT=yes will cause -DHAVE_AUDIT in the preprocessor flags, which would enable the code block you cited. | deagol wrote: | | Using the login UID is of course returning the user I used for the initial ssh login to the system. But when I switch the user to root I would expect to "be" root. |
You are root for permissions purposes. For auditing purposes, your original uid will follow you for the sake of generating more helpful audit messages. (A log reviewer who sees that "root" did something bad would need to read back through prior logs to find who became the root that did the bad thing. By keeping your original uid with the process tree, the audit log can directly blame "alex", making the log review easier.) | deagol wrote: | | Has someone here an idea why "src/rc/rc-selinux.c" has code to not ask for the current user password but for the login user password when we have audit enabled? |
Sorry, no answer on this point. Maybe the idea was that this would simplify access control, since instead of everyone knowing root's password, each administrator would know his/her own password, and use that. There is precedent in how sudo works on this point.
With the right configuration, you can have each user assigned a personal password, and still disallow using that password over the network. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
