LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

turn the /etc/shadow argument on it's head

turn the /etc/shadow argument on it's head

Posted Apr 27, 2006 7:48 UTC (Thu) by dlang (✭ supporter ✭, #313)
Parent article: The AppArmor debate begins

if AppArmor won't protect you if you manage to create a new name for the file /etc/shadow, SELinux (which doesn't care about filenames, only the files themselves) won't protect you if you manage to change the name /etc/shadow to point at a new file.

you know what? every other program in the system will try to access whatever file /etc/shadow is pointing at, they won't care about the object that used to be called /etc/shadow that SELinux is still protecting, they'll happily use the new file

any way that you mark all things that access /etc/shadow to only access the 'true' /etc/shadow file requires active work to maintain over time (every program that modifies it, including vi/emacs, will need to set the correct SELinux label, and if any of them get it wrong, the whole system stops)

while AppArmor doesn't try to do everything that SELinux attempts to do, in some ways it's far more useful.

David Lang

P.S. I still haven
t seen an example of how to set and maintain permissions along the lines of /home/*/public_html/* to pull an example the AA people have used to show the power of the path based approach

(Log in to post comments)

turn the /etc/shadow argument on it's head

Posted Apr 27, 2006 15:59 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

I know only a little about SELinux, but I believe that you are incorrect. Programs that use /etc/shadow for password authorization can check the security label; if it is not set to the proper value, authorization can be made to fail. So if you manage to make /etc/shadow point to a new file, you only achieve denial-of-service: no one can log in.

But even if this check is not made, ordinary users can make a hard link to /etc/shadow if they have write access to a directory in the same filesystem as /etc. Ordinary users cannot make /etc/shadow point to a different file unless they have already cracked root. So you haven't quite turned the argument on its head: it is easier to add new names than to change what a name refers to.

turn the /etc/shadow argument on it's head

Posted Apr 28, 2006 6:01 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

and AppArmor only allows you to create a link to a file if you have permission to modify the file itself so creating a new name isn't as trivial

turn the /etc/shadow argument on it's head

Posted May 4, 2006 14:48 UTC (Thu) by anLWNreader (guest, #36915) [Link]

That would break POSIX. I hope AppArmor doesn't do that.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds