Bug#352494: passwd: confusing error message if /proc is not found

Sun, 12 Feb 2006 10:18:09 -0800 

Hello,

On Sun, Feb 12, 2006 at 12:19:22PM +0100, Marc Haber wrote:
> 
> invoking "passwd foo" in a chroot without /proc mounted results in the
> error message "passwd: You may not view or modify password information
> for foo".

This was caused by the call to selinux_check_passwd_access, which failed
(returned -1) on non-SELinux system without /proc.

Russel, can you check the attached patch?
(It can be dropped in the debian/patches directory of the shadow source
package, after adding 493_selinux_no_proc at the end of
debian/patches/series)

Thanks in advance,
-- 
Nekral

Index: shadow-4.0.14/src/chage.c
===================================================================
--- shadow-4.0.14.orig/src/chage.c      2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/chage.c   2006-02-12 18:20:44.000000000 +0100
@@ -361,11 +361,10 @@
        textdomain (PACKAGE);
 
        ruid = getuid ();
-#ifdef WITH_SELINUX
-       amroot = (ruid == 0
-                 && selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
-#else
        amroot = (ruid == 0);
+#ifdef WITH_SELINUX
+       if (amroot && is_selinux_enabled () > 0)
+               amroot = (selinux_check_passwd_access (PASSWD__ROOTOK) == 0);
 #endif
 
        /*
Index: shadow-4.0.14/src/chfn.c
===================================================================
--- shadow-4.0.14.orig/src/chfn.c       2006-02-12 16:49:26.000000000 +0100
+++ shadow-4.0.14/src/chfn.c    2006-02-12 18:21:36.000000000 +0100
@@ -378,6 +378,7 @@
         * check if the change is allowed by SELinux policy.
         */
        if ((pw->pw_uid != getuid ())
+           && (is_selinux_enabled () > 0)
            && (selinux_check_passwd_access (PASSWD__CHFN) != 0)) {
                fprintf (stderr, _("%s: Permission denied.\n"), Prog);
                closelog ();
Index: shadow-4.0.14/src/chsh.c
===================================================================
--- shadow-4.0.14.orig/src/chsh.c       2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/chsh.c    2006-02-12 18:23:20.000000000 +0100
@@ -304,6 +304,7 @@
         * check if the change is allowed by SELinux policy.
         */
        if ((pw->pw_uid != getuid ())
+           && (is_selinux_enabled () > 0)
            && (selinux_check_passwd_access (PASSWD__CHSH) != 0)) {
                SYSLOG ((LOG_WARN, "can't change shell for `%s'", user));
                closelog ();
Index: shadow-4.0.14/src/passwd.c
===================================================================
--- shadow-4.0.14.orig/src/passwd.c     2006-02-12 16:49:27.000000000 +0100
+++ shadow-4.0.14/src/passwd.c  2006-02-12 18:36:57.000000000 +0100
@@ -802,7 +802,9 @@
         * check if the change is allowed by SELinux policy.
         */
        if ((pw->pw_uid != getuid ())
-           && (selinux_check_passwd_access (PASSWD__PASSWD) != 0)) {
+           && (is_selinux_enabled () > 0 ?
+                   (selinux_check_passwd_access (PASSWD__PASSWD) != 0):
+                   !amroot)) {
 #else
        /*
         * If the UID of the user does not match the current real UID,

Reply via email to