fedora-selinux June 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: pam_mkhomedir

Re: pam_mkhomedir

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Sat Jun 06 2009 - 11:05:45 GMT
To: Vadym Chepkov <chepkov@yahoo.com>


On 06/05/2009 05:14 PM, Vadym Chepkov wrote:
>
> I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy:
>
> allow sshd_t user_home_dir_t:file { write create setattr };
> unprivuser_home_filetrans_home_dir(sshd_t)
> unprivuser_create_home_dir(sshd_t)
>
>
> I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks.
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
We would prefer you to use pam_oddjob_mkhomedir.

The problem with pam_mkhomedir is that it requires us to give privs to all login programs to write all over the users homedir. I do not want to give login programs this priv, because I want to prevent them from even being able to read the homedir. Imagine a remove exploit of sshd that allows me to pull data off the HOMEDIR without even logging in. Imagine being able to walk up to a gdm session and being able to trick it to read the homedir without logging in.

I do not think there is a way to get the bugzilla to move forward, without manual intervention. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list