Bug#510134: marked as done (genhomedircon.c: login.defs:MAX_UID have no effect on generating list of valid users, but MIN_UID does have.)

Mon, 05 Jan 2009 17:13:15 -0800 

Your message dated Tue, 06 Jan 2009 00:47:04 +0000
with message-id <e1lk064-0006ji...@ries.debian.org>
and subject line Bug#510134: fixed in libsemanage 2.0.25-3
has caused the Debian Bug report #510134,
regarding genhomedircon.c: login.defs:MAX_UID have no effect on generating list 
of valid users, but MIN_UID does have.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libsemanage1
Version: 2.0.25-2
Severity: normal
File: /lib/libsemanage.so.1
Tags: patch


Some debian packages like qmail or any other services sometimes
prefer to create it's users not below MIN_UID, but rather above
MAX_UID.
It is also found, that qmail installation script creates qmail users
with SHELL=/bin/sh (i don't know whether it is a bug).

genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
/etc/login.defs to exclude system users from generating homedir contexts.
But unfortunately it does not check it against MAX_UID setting from the same
file.

Installing qmail package on selinux system exhibits behaviour, described in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510125

Patch attached to add checking uid value againt MAX_UID too.
PS: Default value for MAX_UID is set to 60000, correct it if what.

Thanks.

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsemanage1 depends on:
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libselinux1                   2.0.65-5   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  libustr-1.0-1                 1.0.4-1    Micro string library: shared libra

libsemanage1 recommends no packages.

libsemanage1 suggests no packages.

-- no debconf information

--- genhomedircon.c~	2008-02-06 19:08:20.000000000 +0400
+++ genhomedircon.c	2008-12-29 20:26:10.000000000 +0400
@@ -219,8 +219,8 @@
 	char *rbuf = NULL;
 	char *path = NULL;
 	long rbuflen;
-	uid_t temp, minuid = 0;
-	int minuid_set = 0;
+	uid_t temp, minuid = 0, maxuid = 0;
+	int minuid_set = 0, maxuid_set = 0;
 	struct passwd pwstorage, *pwbuf;
 	struct stat buf;
 	int retval;
@@ -270,6 +270,16 @@
 	}
 	free(path);
 	path = NULL;
+	path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MAX", NULL);
+	if (path && *path) {
+		temp = atoi(path);
+		if (!maxuid_set || temp > maxuid) {
+			maxuid = temp;
+			maxuid_set = 1;
+		}
+	}
+	free(path);
+	path = NULL;
 
 	path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "=");
 	if (path && *path) {
@@ -286,6 +296,10 @@
 		minuid = 500;
 		minuid_set = 1;
 	}
+	if (!maxuid_set) {
+		maxuid = 60000;
+		maxuid_set = 1;
+	}
 
 	rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
 	if (rbuflen <= 0)
@@ -295,7 +309,7 @@
 		goto fail;
 	setpwent();
 	while ((retval = getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf)) == 0) {
-		if (pwbuf->pw_uid < minuid)
+		if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
 			continue;
 		if (!semanage_list_find(shells, pwbuf->pw_shell))
 			continue;
@@ -322,7 +336,7 @@
 
 			/* NOTE: old genhomedircon printed a warning on match */
 			if (hand.matched) {
-				WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid);
+			  WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
 			} else {
 				if (semanage_list_push(&homedir_list, path))
 					goto fail;

--- End Message ---
--- Begin Message --- 
Source: libsemanage
Source-Version: 2.0.25-3

We believe that the bug you reported is fixed in the latest version of
libsemanage, which is due to be installed in the Debian FTP archive:

libsemanage1-dev_2.0.25-3_amd64.deb
  to pool/main/libs/libsemanage/libsemanage1-dev_2.0.25-3_amd64.deb
libsemanage1_2.0.25-3_amd64.deb
  to pool/main/libs/libsemanage/libsemanage1_2.0.25-3_amd64.deb
libsemanage_2.0.25-3.diff.gz
  to pool/main/libs/libsemanage/libsemanage_2.0.25-3.diff.gz
libsemanage_2.0.25-3.dsc
  to pool/main/libs/libsemanage/libsemanage_2.0.25-3.dsc
python-semanage_2.0.25-3_amd64.deb
  to pool/main/libs/libsemanage/python-semanage_2.0.25-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Manoj Srivastava <sriva...@debian.org> (supplier of updated libsemanage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Jan 2009 16:53:48 -0600
Source: libsemanage
Binary: libsemanage1 libsemanage1-dev python-semanage
Architecture: source amd64
Version: 2.0.25-3
Distribution: unstable
Urgency: high
Maintainer: Manoj Srivastava <sriva...@debian.org>
Changed-By: Manoj Srivastava <sriva...@debian.org>
Description: 
 libsemanage1 - shared libraries used by SELinux policy manipulation tools
 libsemanage1-dev - Header files and libraries for SELinux policy manipulation 
tools
 python-semanage - Python bindings  for SELinux policy manipulation tools
Closes: 510134
Changes: 
 libsemanage (2.0.25-3) unstable; urgency=high
 .
   * [bab6644]: Also check for the uppoer bound on user ids in login.defs
 .
     Some non-Debian packages (like qmail, shudder) create
     users not below MIN_UID, but above MAX_UID, in /etc/login.defs
     (non-system users are supposed to have uids between MIN_UID and
     MAX_UID.
 .
     genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
     /etc/login.defs to exclude system users from generating homedir
     contexts. But unfortunately it does not check it against MAX_UID
     setting from the same file. This gets us lines like the following in
     the contexts/files/file_contexts.homedirs file:
     ,----
     | #
     | # Home Context for user user_u
     | #
     | /var/qmail/[^/]*/.+ user_u:object_r:user_home_t:s0
     | /var/qmail/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
     | /var/qmail/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
     | /var/qmail/[^/]* -d user_u:object_r:user_home_dir_t:s0
     | /var/qmail/lost\+found/.* <<none>>
     | /var/qmail -d system_u:object_r:home_root_t:s0
     | /var/qmail/\.journal <<none>>
     | /var/qmail/lost\+found -d system_u:object_r:lost_found_t:s0
     | /tmp/gconfd-.* -d user_u:object_r:user_tmp_t:s0
     `----
     This commit adds checking uid value againt MAX_UID too.
 .
     Bug fix: "login.defs:MAX_UID have no effect on generating list of
     valid users, but MIN_UID does have.", thanks to root
                                                        (Closes:  #510134).
Checksums-Sha1: 
 80256ee200b3c864309b06d18b906201999830b8 1298 libsemanage_2.0.25-3.dsc
 6ff088af25f9913f8465ca9aebb2acddd95af3e9 29891 libsemanage_2.0.25-3.diff.gz
 c4b2cd8d32a62d2ce7d7a1bf8e3243606f6cef09 94534 libsemanage1_2.0.25-3_amd64.deb
 b57f3cd9a5d1cd31dd569b840d8fc2b95dee1db0 434630 
libsemanage1-dev_2.0.25-3_amd64.deb
 010bb748ed58bb71dd18611990f0d547f75c1f39 124076 
python-semanage_2.0.25-3_amd64.deb
Checksums-Sha256: 
 875133d6f86367833dbc9579ca924d4fa2dcad0a424d4d16595334ab5913865b 1298 
libsemanage_2.0.25-3.dsc
 e547af1ea34767049f2a8ea00c07badd30373c9cfc21d54ffb17359f32a32a31 29891 
libsemanage_2.0.25-3.diff.gz
 b96cd635787409b036fd0b5b294cbfb74b1b40364902a6aaa43a89a5102d0750 94534 
libsemanage1_2.0.25-3_amd64.deb
 fc79d72f3292e80734e99e4d7aa8f74cc114a5eab17ebac3a24575d5448e8622 434630 
libsemanage1-dev_2.0.25-3_amd64.deb
 f5cdbef2d5596dcf7841ec72fe38de2412059a4466cd0335493c207bc98320a9 124076 
python-semanage_2.0.25-3_amd64.deb
Files: 
 04a6a578841981f6ef7d704f58115957 1298 libdevel optional 
libsemanage_2.0.25-3.dsc
 6d89e4da96ff0b27bc5f1efd4e8b8816 29891 libdevel optional 
libsemanage_2.0.25-3.diff.gz
 94c48f8ab1fcaeeab48d6b30d95d8f5c 94534 libs optional 
libsemanage1_2.0.25-3_amd64.deb
 b0946383675449b96c6200fa58cf384f 434630 libdevel optional 
libsemanage1-dev_2.0.25-3_amd64.deb
 54b603e244be7e6663ff422499006031 124076 python optional 
python-semanage_2.0.25-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklipnkACgkQIbrau78kQkzF6ACgtJWJqq9j6c6RtcSollW0sxVq
M4wAnR0d3gc8fGe2NPTjmioVqWB8OYIt
=fXuW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to