[rsbac] passwd

Rafal Wojtczuk rafal.wojtczuk at 7bulls.com
Fri Jul 25 20:33:47 MEST 2003

On Fri, Jul 25, 2003 at 09:24:38AM +0200, Amon Ott wrote:
> On Friday, 25. July 2003 08:43, polish wrote:
> >   How did you resolve access to /etc/passwd and /etc/shadow. I would like
> > to create new user X, who can change password to everyone. And root can't
> > change password. I find a some standard solution of this problem.
> passwd and shadow are tricky, because they get deleted and recreated with 
> every change. What I would do is make a wrapper script, which
> - is the only one allowed to write access these files (RC initial role)
> - may only be executed by the specified user (extra user role and passwd-exe 
> type)
> - has a sensible default_fd_create_type, e.g. passwd-type
> - corrects the types of the files after the change (because passwd and shadow 
> usually need different types)
Be careful with this approach. Even if you allow only a selected
libraries to be LD_PRELOADed by this wrapper (assuming it is ELF) a malicious root can still 
write arbitrary content to /etc/passwd and /etc/shadow by preloading /lib/libSegfault.so
(assuming all libraries in /lib are marked appropriate for MAY_EXEC).
See selinux archives from June for details.

More information about the rsbac mailing list