i've logged in with ssh and changed the password (all went fine)
user can log back in with ssh, but immediately after i changed his password i was unable to "su - user" to him. logs returned a message:
(me:U:/bin/su) denied access to hidden file /etc/shadow by /bin/su[su:12378] uid/euid:1000/0
1000 is my uid UID
this is the subject ACL for user "me" uid 1000:
- Code: Select all
subject /bin/su o {
/ h
/dev h
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/log rw
/dev/urandom r
/etc/group r
/etc/ld.so.cache r
/etc/login.defs r
/etc/nsswitch.conf r
/etc/pam.d r
/etc/passwd r
/etc/security/limits.conf r
/etc/security/pam_env.conf r
/etc/shadow rw
/etc/shells r
/home r
/lib64 rx
/proc r
/root r
/usr/share/zoneinfo r
/var/run r
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
so the subject should have access to /etc/shadow
this problem only appears when the shadow file content changes(user changes his password), reloading the rules helps but this is not a way to solve the problem. does grsec keep some checksums of the objects and when it changes, then access is denied? can this be solved somehow?