access denied after password change
Posted: Tue Oct 31, 2006 12:39 pmi've created a test user
i've logged in with ssh and changed the password (all went fine)
user can log back in with ssh, but immediately after i changed his password i was unable to "su - user" to him. logs returned a message:
(me:U:/bin/su) denied access to hidden file /etc/shadow by /bin/su[su:12378] uid/euid:1000/0
1000 is my uid UID
this is the subject ACL for user "me" uid 1000:
so the subject should have access to /etc/shadow
this problem only appears when the shadow file content changes(user changes his password), reloading the rules helps but this is not a way to solve the problem. does grsec keep some checksums of the objects and when it changes, then access is denied? can this be solved somehow?
i've logged in with ssh and changed the password (all went fine)
user can log back in with ssh, but immediately after i changed his password i was unable to "su - user" to him. logs returned a message:
(me:U:/bin/su) denied access to hidden file /etc/shadow by /bin/su[su:12378] uid/euid:1000/0
1000 is my uid UID
this is the subject ACL for user "me" uid 1000:
- Code: Select all
subject /bin/su o {
/ h
/dev h
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/log rw
/dev/urandom r
/etc/group r
/etc/ld.so.cache r
/etc/login.defs r
/etc/nsswitch.conf r
/etc/pam.d r
/etc/passwd r
/etc/security/limits.conf r
/etc/security/pam_env.conf r
/etc/shadow rw
/etc/shells r
/home r
/lib64 rx
/proc r
/root r
/usr/share/zoneinfo r
/var/run r
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
so the subject should have access to /etc/shadow
this problem only appears when the shadow file content changes(user changes his password), reloading the rules helps but this is not a way to solve the problem. does grsec keep some checksums of the objects and when it changes, then access is denied? can this be solved somehow?