On Friday 25 January 2008 16:01:37 Scott Bambrough wrote:
> We are working on a management tool that attempts to setup
> mod-auth-shadow to work on RedHat 5.1 with SELinux in enforcing mode.
>
> Based on the following excerpt from the httpd_selinux man page:
>
> "If you want to share files with multiple domains (Apache, FTP, rsync,
> Samba), you can set a file context of public_content_t and
> public_content_rw_t.

This type is for web content - not trusted databases.


> we have set the file context of /etc/shadow to public_content_t. The
> file permissions remain unchanged, only root can read the file.
>
> [root@(protected)
> -r-------- root root root:object_r:public_content_t  /etc/shadow

This makes shadow readable by apache (assuming it had root privs) and as such
can now serve shadow to anyone able to request it. That would be a severe
security policy violation.


> This almost works correctly:
> 1) mod-auth-shadow works correctly
> 2) can manage users via command line tools (useradd/usermod/userdel etc.)
> 3) system-config-users can manage users
> 4) my management tool can manage users
>
> I have some problems with this setup however:
>
> 1) I'm not sure of all the implications of changing the file context of
> /etc/shadow to public_content_t. Basically I'm getting confused as to
> how someone or some process gets write permissions to the file.

Do not work with shadow directly from a web server. The most trusted of all
databases cannot be made readable/writable to an external facing, potentially
compromised daemon. Apache trying to write to shadow would be indicative of
an Intrusion attempt.


> 2) An rpm that attempts to add a user in a pre/post install script fails
> to add the user.  useradd is denied write access to /etc/shadow.

Is the rpm command being run from apache?

> 3) I get a lot of the following SELinux alerts:
>
>   SELinux is preventing /sbin/unix_update (updpwd_t) "read" to shadow
> (public_content_t).

Yep. restorecon /etc/shadow will fix that.

> Do I have to set the file context of /etc/shadow to public_content_rw_t,
> and set a boolean to allow anonymous writes? There doesn't seem to be
> any such boolean for rpm.

What exactly were you trying to do?

-Steve

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list