[rsbac] UM can't set passwords - strange symptoms

Thu Jul 19 12:14:07 CEST 2007

Sven Seeland wrote:
> By the way: the bug is happening again. Now that I know that 1.3.5 will fix it 
> I'll just leave it as it is and hope that 1.3.5 hits Gentoo Portage real fast. 
> Oh well...
>
> Sven Seeland schrieb:
>   
>> Hmm, I'm kindof in a bind here. First of all I must say that I'm no kernel expert I am in no way an experienced Linux Admin. I'm doing this as a hobby but I still want my server to be reasonably safe.
>> However, I'm relying on several features that are (as far as I know) exclusive to 2.6. Namely udev, lvm2 and alsa (and possibly more).
>>
>> I'm also using Gentoo and it looks like it defaults to 2.6 now. You *can* make it run on 2.4, but it requires a good bit of work and system knowledge and I currently don't really feel up to the task.
>> Also, the server doubles as a media center. Not a good combination to put a hardened webserver and a media center on the same machine, I know, but I only have one computer at my disposal so it's gotta do both jobs. And I'm afraid that running either part of the server in a virtualized environment (e.g. on virtualbox) will hurt performance badly.
>>
>> Any advice?
>>
>> Interestingly, the password bug hasn't occurred on the new setup yet.
>>
>> Anyways, I'll stay tuned for the update and hope it trickles down the Gentoo pipeline soon.
>>
>> Greetings,
>> Sven
>>
>>
>> -------- Original-Nachricht --------
>> Datum: Wed, 18 Jul 2007 10:11:54 +0200
>> Von: Amon Ott <ao at rsbac.org>
>> An: RSBAC Discussion and Announcements <rsbac at rsbac.org>
>> Betreff: Re: [rsbac] UM can\'t set passwords - strange symptoms
>>
>>     
>>> On Tuesday 17 July 2007 14:54, Sven Seeland wrote:
>>>       
>>>> Thanks, everything works now. I guess I got spooked. On my last
>>>> isntall I was having all sorts of weird problems concerning RSBAC
>>>> UM, like not being able to set passwords, not being able to log in,
>>>> being able to log in regardless of the password entered, etc. And I
>>>> couldn't solve this by reverting back to standard unix shadow suite
>>>> user management. Which caused me to reinstall from scratch. It's
>>>> not a production machine and I'm still pretty new to this...
>>>>         
>>> If you are using a 2.6 kernel with UM, you are strongly encouraged to 
>>> update to 1.3.5, which has been uploaded to download.rsbac.org 
>>> yesterday. We have fixed a nasty bug, which could cause any password 
>>> to be accepted on 2.6 kernels - like you noticed.
>>>
>>> There is a reason why I recommend 2.4 on any server system: 2.6 
>>> internal APIs change with almost every release, so you can expect any 
>>> kind of bug. Needless to say that new APIs are hardly ever 
>>> documented. 2.6 is nothing I would call stable software, rather a 
>>> run-away hunt for features. One look at the rate of security fixes 
>>> for every 2.6 release tells the story.
>>>
>>> This example has hit us here: crypto API interface has changed, but 
>>> third parameter of analogues function with similar name still has the 
>>> same type, but very different meaning. So we ended up hashing a 
>>> single byte of the salt instead of the whole salt + password string. 
>>> Sure any password matched, because the same salt was used for 
>>> compare.
>>>
>>> We will make an official announcement after some more quality checks 
>>> on the release files.
>>>
>>> Amon.
>>>
>>>       
It won't hit portage until PaX is released for 2.6.22 (with some
important pax changes, should be the reason for the delay). And its not
available yet :|
If it takes more than a few days however I will just patch 1.3.5 fixes
in the 2.6.21 kernel.

kang