Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gentoo-hardened broken shell stdin
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sergeev917
n00b
n00b


Joined: 04 Apr 2014
Posts: 10

PostPosted: Sat Feb 11, 2017 3:48 pm    Post subject: gentoo-hardened broken shell stdin Reply with quote

Hi, everyone!

For some time I've encountered a problem with a gentoo server running hardened profile and stuff, now I finally got time to dive myself into it.
The problem shows itself in this way:

Code:

srv ~ # newrole -r sysadm_r
Password:

srv ~ # /etc/init.d/nginx status
Authenticating root.
Password:
 * status: started

srv ~ # /etc/init.d/nginx status
Authenticating root.
Password:
 * Authentication failed for root


Logs:
Code:

openrc-run[24882]: pam_unix(run_init:auth): conversation failed
openrc-run[24882]: pam_unix(run_init:auth): auth could not identify password for [root]


What I've discovered so far -- authentication process works until it has succeded once. Then it does not work anymore until the session end and a new newrole invokation. Using strace over failed commands I've found out that the root of this problem is somewhat interesting. The actual read() system call fails:

Code:

write(2, "Password: ", 10)        = 10
read(0, BUF_PTR, 511)       = -1 EAGAIN (Resource temporarily unavailable)


Seems like pseudo-terminal is broken for new child processes:

Code:

srv ~ # read x
bash: read: read error: 0: Resource temporarily unavailable


And it looks like the problem of all this is inside pam & run_init; given I enable the following line in /etc/pam.d/run_init:
Code:

auth       sufficient   pam_rootok.so


I have everything working, but without password prompts and I would rather have them stay. Shown manipulations are made on the system in permissive selinux mode, so I don't think the problem is from this part.
Are there any ideas about how to tackle this further and where the source of the problem could be?

--
PTY manipulations are coming from run_init and open_init_pty binaries from sys-apps/policycoreutils; I have version 2.6-r1 with +pam -audit -dbus.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Mon Feb 20, 2017 10:54 pm    Post subject: Reply with quote

(i had posted this earlier but removed it as i wasn't sure what run_init was from, i use grsec instead of selinux)

there are a few pam scripts that use the "root ok" mechanism (like su), i don't necessarily think it's pam's fault, but something sure doesn't seem right there.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum