pam_mkhomedir
Daniel J Walsh
dwalsh at redhat.com
Sat Jun 6 11:05:45 UTC 2009
On 06/05/2009 05:14 PM, Vadym Chepkov wrote:
>
> I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy:
>
> allow sshd_t user_home_dir_t:file { write create setattr };
> unprivuser_home_filetrans_home_dir(sshd_t)
> unprivuser_create_home_dir(sshd_t)
>
>
> I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks.
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
We would prefer you to use pam_oddjob_mkhomedir.
The problem with pam_mkhomedir is that it requires us to give privs to
all login programs to write all over the users homedir. I do not want
to give login programs this priv, because I want to prevent them from
even being able to read the homedir. Imagine a remove exploit of sshd
that allows me to pull data off the HOMEDIR without even logging in.
Imagine being able to walk up to a gdm session and being able to trick
it to read the homedir without logging in.
I do not think there is a way to get the bugzilla to move forward,
without manual intervention.
More information about the selinux
mailing list