I think the placement of the pam_keyinit.so in the pam files is incorrect?
Simo Sorce
ssorce at redhat.com
Thu Dec 6 18:39:19 UTC 2007
On Thu, 2007-12-06 at 10:33 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I don't fully understand how you intend to use keying, but I have talked
> to Nalin about this, since he is about to allow or does allow the
> storing of the kerberos tgt in a kernel keyring.
>
> Currently pam_keyinit is happening in system-auth as well as most of the
> login pam modules.
>
> SELinux comes into play here, since we want to make sure the context on
> the keyring is set correctly. "pam_selinux open" sets the kernel to
> label the keyring with the users context, but in several places
> pam_keyinit is being called before pam_selinux (system-auth) is the
> culprit.
>
> This results in us having kernel keyrings labeled local_login_t or
> sshd_t. Which is wrong. They should be labeled user_t or unconfined_t.
>
> So I would suggest that we remove pam_keyinit from system_auth and only
> use it in login pam modules which call it after pam_selinux open.
Make a lot of sense to me.
> Now the next question is whether it should be called in su or sudo?
> Since wouldn't this remove access to my keying material?
Do you want sudo to really give you power over keying material?
Usually sudo is used to run programs just with a higher privilege on the
local machine, and never to obtain key material.
I have the feeling that it is somehow wrong to give sudo that power.
For su I am still uncertain, but given that su does not authenticate the
final user but only the super user I again wonder if that should give
any access to the kernel keyring.
> su and sudo do not call pam_selinux open, so it will not setup a
> labeling for pam_keyinit, and the keys will get created as user_sudo_t
> or user_su_t for example. At this point what access is expected by the
> user for these keyrings? Would you expect the keyrings to be labeled
> kernel_t, or should we remove the pam_keyinit from su and sudo, leaving
> access to the login keyrings.
I think it is safer to not give su and sudo access to keyrings by
default, is there a credible scenario that would require that and that
cannot be accomplisced in another way?
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
More information about the fedora-devel-list
mailing list