[rsbac] passwd
Amon Ott
ao at rsbac.org
Sat Jul 26 19:29:24 MEST 2003
On Friday, 25. July 2003 19:33, Rafal Wojtczuk wrote:
> On Fri, Jul 25, 2003 at 09:24:38AM +0200, Amon Ott wrote:
> > On Friday, 25. July 2003 08:43, polish wrote:
> > > How did you resolve access to /etc/passwd and /etc/shadow. I would
like
> > > to create new user X, who can change password to everyone. And root
can't
> > > change password. I find a some standard solution of this problem.
> >
> > passwd and shadow are tricky, because they get deleted and recreated with
> > every change. What I would do is make a wrapper script, which
> >
> > - is the only one allowed to write access these files (RC initial role)
> > - may only be executed by the specified user (extra user role and
passwd-exe
> > type)
> > - has a sensible default_fd_create_type, e.g. passwd-type
> > - corrects the types of the files after the change (because passwd and
shadow
> > usually need different types)
> Be careful with this approach. Even if you allow only a selected
> libraries to be LD_PRELOADed by this wrapper (assuming it is ELF) a
malicious root can still
> write arbitrary content to /etc/passwd and /etc/shadow by preloading
/lib/libSegfault.so
> (assuming all libraries in /lib are marked appropriate for MAY_EXEC).
> See selinux archives from June for details.
Right, if you can load arbitary libs, you can get into all kinds of trouble.
The passwd/shadow system is dead ugly and insecure, no doubt here. It is just
that it has been there for a long time and is very easy to use.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list