[rsbac] passwd
Rafal Wojtczuk
rafal.wojtczuk at 7bulls.com
Fri Jul 25 20:33:47 MEST 2003
On Fri, Jul 25, 2003 at 09:24:38AM +0200, Amon Ott wrote:
> On Friday, 25. July 2003 08:43, polish wrote:
> > How did you resolve access to /etc/passwd and /etc/shadow. I would like
> > to create new user X, who can change password to everyone. And root can't
> > change password. I find a some standard solution of this problem.
>
> passwd and shadow are tricky, because they get deleted and recreated with
> every change. What I would do is make a wrapper script, which
>
> - is the only one allowed to write access these files (RC initial role)
> - may only be executed by the specified user (extra user role and passwd-exe
> type)
> - has a sensible default_fd_create_type, e.g. passwd-type
> - corrects the types of the files after the change (because passwd and shadow
> usually need different types)
Be careful with this approach. Even if you allow only a selected
libraries to be LD_PRELOADed by this wrapper (assuming it is ELF) a malicious root can still
write arbitrary content to /etc/passwd and /etc/shadow by preloading /lib/libSegfault.so
(assuming all libraries in /lib are marked appropriate for MAY_EXEC).
See selinux archives from June for details.
RW
More information about the rsbac
mailing list