[rsbac] passwd

Amon Ott ao at rsbac.org
Sat Jul 26 19:29:24 MEST 2003

On Friday, 25. July 2003 19:33, Rafal Wojtczuk wrote:
> On Fri, Jul 25, 2003 at 09:24:38AM +0200, Amon Ott wrote:
> > On Friday, 25. July 2003 08:43, polish wrote:
> > >   How did you resolve access to /etc/passwd and /etc/shadow. I would 
> > > to create new user X, who can change password to everyone. And root 
> > > change password. I find a some standard solution of this problem.
> > 
> > passwd and shadow are tricky, because they get deleted and recreated with 
> > every change. What I would do is make a wrapper script, which
> > 
> > - is the only one allowed to write access these files (RC initial role)
> > - may only be executed by the specified user (extra user role and 
> > type)
> > - has a sensible default_fd_create_type, e.g. passwd-type
> > - corrects the types of the files after the change (because passwd and 
> > usually need different types)
> Be careful with this approach. Even if you allow only a selected
> libraries to be LD_PRELOADed by this wrapper (assuming it is ELF) a 
malicious root can still 
> write arbitrary content to /etc/passwd and /etc/shadow by preloading 
> (assuming all libraries in /lib are marked appropriate for MAY_EXEC).
> See selinux archives from June for details.

Right, if you can load arbitary libs, you can get into all kinds of trouble. 

The passwd/shadow system is dead ugly and insecure, no doubt here. It is just 
that it has been there for a long time and is very easy to use.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list