Dear developers,
I had to patch gradm_adm.c in order to make it possible to use PAM authentication on SLES11 SP1.
My PAM configuration is "the default" which is mostly pam_unix2:
sles11-64-grsecurity:/etc/pam.d # cat /etc/pam.d/gradm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
I had to apply the following patch to gradm-2.2.2-201109151158:
diff -rupN gradm2.orig/gradm_adm.c gradm2/gradm_adm.c
--- gradm2.orig/gradm_adm.c 2011-06-06 05:14:53.000000000 +0200
+++ gradm2/gradm_adm.c 2011-10-04 19:30:17.000000000 +0200
@@ -150,9 +150,11 @@ add_gradm_pam_acl(struct role_acl *role)
add_ip_acl(current_subject, GR_IP_BIND, &ip);
add_proc_object_acl(current_subject, "/", proc_object_mode_conv("h"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/default/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.cache", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/ld.so.preload", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/localtime", proc_object_mode_conv("r"), GR_FEXIST);
+ add_proc_object_acl(current_subject, "/etc/login.defs", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/protocols", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/passwd", proc_object_mode_conv("r"), GR_FEXIST);
add_proc_object_acl(current_subject, "/etc/shadow", proc_object_mode_conv("r"), GR_FEXIST);
@@ -185,6 +187,8 @@ add_gradm_pam_acl(struct role_acl *role)
add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);
add_cap_acl(current_subject, "+CAP_AUDIT_WRITE", NULL);
+ add_sock_family(current_subject, "netlink");
+
return;
}
Which means adding just three lines. Do you consider this being acceptable to grsecurity?
Thank you in advance.
Additional permissions for /sbin/gradm_pam on SLES
3 posts
• Page 1 of 1
Additional permissions for /sbin/gradm_pam on SLES
by nt1277 » Tue Oct 04, 2011 1:48 pm
- nt1277
- Posts: 2
- Joined: Tue Oct 04, 2011 1:42 pm
Re: Additional permissions for /sbin/gradm_pam on SLES
by spender » Wed Oct 05, 2011 9:24 pm
Hi,
Looks good to me. I've just committed it -- it'll appear in the next gradm tarball. Thanks!
-Brad
Looks good to me. I've just committed it -- it'll appear in the next gradm tarball. Thanks!
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Additional permissions for /sbin/gradm_pam on SLES
by nt1277 » Thu Oct 06, 2011 9:52 am
Thank you very much. I hope I didn't open a security hole, and netlink isn't dangerous.
- nt1277
- Posts: 2
- Joined: Tue Oct 04, 2011 1:42 pm
3 posts
• Page 1 of 1