shadow.h

shadow.h

[Daniel Cegiełka]

Hi,
It seems that the musl doesn't contain several important shadow's
functions that are declared in the shadow.h.

# ldd /lib/security/pam_unix.so
	libpam.so => /lib/libpam.so (0x7fcac91b8000)
Error relocating /lib/security/pam_unix.so: putspent: symbol not found
Error relocating /lib/security/pam_unix.so: fgetspent: symbol not found
Error relocating /lib/security/pam_unix.so: putpwent: symbol not found

Best regards,
Daniel

Re: shadow.h

[Szabolcs Nagy]

* Daniel Cegie?ka <daniel.cegielka@gmail.com> [2013-02-26 23:54:58 +0100]:
> It seems that the musl doesn't contain several important shadow's
> functions that are declared in the shadow.h.
> 

/etc/shadow requires priviledge escalation for password changes
so putspent is dangerous, pam_unix should be deprecated on
modern systems

http://www.openwall.com/tcb/

(i think this already came up a few times, maybe it should be in a faq..)

Re: shadow.h

[Rich Felker]

On Tue, Feb 26, 2013 at 11:54:58PM +0100, Daniel Cegiełka wrote:
> Hi,
> It seems that the musl doesn't contain several important shadow's
> functions that are declared in the shadow.h.
> 
> # ldd /lib/security/pam_unix.so
> 	libpam.so => /lib/libpam.so (0x7fcac91b8000)
> Error relocating /lib/security/pam_unix.so: putspent: symbol not found
> Error relocating /lib/security/pam_unix.so: fgetspent: symbol not found
> Error relocating /lib/security/pam_unix.so: putpwent: symbol not found

These have been discussed before and I believe the intent is to add
them (they're simple fprintf wrappers, if I remember correctly), but
be aware that pam_unix.so's support for writing to the password
database assumes a certain form and will break things badly if the
user is using tcb shadow. It might also mess up the shadow file if it
depends on being able to iterate all entries in the shadow file; I'm
not sure if that works or not.

These are issues that need more discussion...

Rich

Re: shadow.h

[Daniel Cegiełka]

2013/2/27 Szabolcs Nagy <nsz@port70.net>:

> /etc/shadow requires priviledge escalation for password changes
> so putspent is dangerous, pam_unix should be deprecated on
> modern systems
>
> http://www.openwall.com/tcb/
>
> (i think this already came up a few times, maybe it should be in a faq..)

owl's tcb and musl? It's harder than it seems.

1) __crypt_blowfish() in musl isn't compatible with
__crypt_blowfish_rn().. so lack of support for owl's
__crypt_gensalt_ra() and crypt_ra/rn() etc. (owl's salt and tcb
prefixes):

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tcb/tcb/pam_tcb/support.c?rev=1.12.2.1;content-type=text%2Fplain

2) nss/rpc/yp - but can be easily removed from the owl's tcb.

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tcb/tcb/libs/nss.c?rev=1.4;content-type=text%2Fplain
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tcb/tcb/pam_tcb/yppasswd_xdr.c?rev=1.2;content-type=text%2Fplain

3) owl's shadow+tcb requires pam_userpass which requires libpamc (pam
client) from Linux-PAM... but it also can be removed. etc... etc.
(pam_chpw.c):

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-tcb.diff?rev=1.5;content-type=text%2Fplain


Currently I'm trying to use OpenPAM with musl, but going to use the
owl's tcb (without nss).

btw. openpam-modules:

http://git.overlays.gentoo.org/gitweb/?p=proj/openpam-modules.git;a=tree;h=821a37ad1a2a084c13ac7c0086bd6d1e737b78c4;hb=821a37ad1a2a084c13ac7c0086bd6d1e737b78c4

Best regards,
Daniel

Re: shadow.h

[Daniel Cegiełka]

2013/2/27 Rich Felker <dalias@aerifal.cx>:
> On Tue, Feb 26, 2013 at 11:54:58PM +0100, Daniel Cegiełka wrote:

>> Error relocating /lib/security/pam_unix.so: putspent: symbol not found
>> Error relocating /lib/security/pam_unix.so: fgetspent: symbol not found
>> Error relocating /lib/security/pam_unix.so: putpwent: symbol not found
>
> These have been discussed before and I believe the intent is to add
> them (they're simple fprintf wrappers, if I remember correctly),

...or can be removed from shadow.h.

> but
> be aware that pam_unix.so's support for writing to the password
> database assumes a certain form and will break things badly if the
> user is using tcb shadow. It might also mess up the shadow file if it
> depends on being able to iterate all entries in the shadow file; I'm
> not sure if that works or not.
>
> These are issues that need more discussion...

I prefer tcb, but the current implementation in musl isn't as
functional as owl's (privilege separation):

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tcb/tcb/libs/libtcb.c?rev=1.9;content-type=text%2Fplain

Daniel

Re: shadow.h

[Rich Felker]

On Wed, Feb 27, 2013 at 09:24:40AM +0100, Daniel Cegiełka wrote:
> 2013/2/27 Szabolcs Nagy <nsz@port70.net>:
> 
> > /etc/shadow requires priviledge escalation for password changes
> > so putspent is dangerous, pam_unix should be deprecated on
> > modern systems
> >
> > http://www.openwall.com/tcb/
> >
> > (i think this already came up a few times, maybe it should be in a faq..)
> 
> owl's tcb and musl? It's harder than it seems.
> 
> 1) __crypt_blowfish() in musl isn't compatible with
> __crypt_blowfish_rn().. so lack of support for owl's

This is intentional. __-prefixed functions are not intended to be
externally visible except for a small set (e.g. stdio_ext.h) with
historical precedent or ABI things like __errno_location.

I hope we can work with owl to get a good solution. I'm not sure why
they don't just use crypt_r, since it would certainly do the job, but
if they want to use the special functions when available, they could
still include a fallback to crypt_r.

> __crypt_gensalt_ra() and crypt_ra/rn() etc. (owl's salt and tcb
> prefixes):

My feeling was that salt generation doesn't belong in libc. Just
adding these functions into the owl pam code should do the trick.

Rich

Re: shadow.h

[Rich Felker]

On Wed, Feb 27, 2013 at 10:09:18AM +0100, Daniel Cegiełka wrote:
> 2013/2/27 Rich Felker <dalias@aerifal.cx>:
> > On Tue, Feb 26, 2013 at 11:54:58PM +0100, Daniel Cegiełka wrote:
> 
> >> Error relocating /lib/security/pam_unix.so: putspent: symbol not found
> >> Error relocating /lib/security/pam_unix.so: fgetspent: symbol not found
> >> Error relocating /lib/security/pam_unix.so: putpwent: symbol not found
> >
> > These have been discussed before and I believe the intent is to add
> > them (they're simple fprintf wrappers, if I remember correctly),
> 
> ....or can be removed from shadow.h.
> 
> > but
> > be aware that pam_unix.so's support for writing to the password
> > database assumes a certain form and will break things badly if the
> > user is using tcb shadow. It might also mess up the shadow file if it
> > depends on being able to iterate all entries in the shadow file; I'm
> > not sure if that works or not.
> >
> > These are issues that need more discussion...
> 
> I prefer tcb, but the current implementation in musl isn't as
> functional as owl's (privilege separation):

Can you explain this better? I don't think the code in libc has
anything to do with privilege separation model used. It only *reads*
the tcb shadow data; it doesn't write anything, and it doesn't depend
on any particular permissions model for the data except that it be
readable by whichever user is doing authenticating.

Rich

Re: shadow.h

[Daniel Cegiełka]

2013/2/27 Rich Felker <dalias@aerifal.cx>:

>>
>> I prefer tcb, but the current implementation in musl isn't as
>> functional as owl's (privilege separation):
>
> Can you explain this better?

Owl's tcb uses SGID instead SUID, so SUID is not needed for programs
like passwd. Here is a good presentation:

http://www.openwall.com/presentations/Owl/mgp00020.html

> I don't think the code in libc has
> anything to do with privilege separation model used. It only *reads*
> the tcb shadow data; it doesn't write anything, and it doesn't depend
> on any particular permissions model for the data except that it be
> readable by whichever user is doing authenticating.
>
> Rich

Re: shadow.h

[Rich Felker]

On Wed, Feb 27, 2013 at 06:04:08PM +0100, Daniel Cegiełka wrote:
> 2013/2/27 Rich Felker <dalias@aerifal.cx>:
> 
> >>
> >> I prefer tcb, but the current implementation in musl isn't as
> >> functional as owl's (privilege separation):
> >
> > Can you explain this better?
> 
> Owl's tcb uses SGID instead SUID, so SUID is not needed for programs
> like passwd. Here is a good presentation:
> 
> http://www.openwall.com/presentations/Owl/mgp00020.html

This has nothing to do with the interfaces in libc, which do not
modify any tcb data. They only read it and they work with whichever
privilege model you prefer.

Rich

Re: shadow.h

[Daniel Cegiełka]

2013/2/27 Rich Felker <dalias@aerifal.cx>:
> On Wed, Feb 27, 2013 at 09:24:40AM +0100, Daniel Cegiełka wrote:

> I hope we can work with owl to get a good solution.

I'm experimenting with OpenPAM/musl/tcb. OpenPAM has nothing directly
to musl, but it would be interesting to develop a comprehensive
solution for authentication and password management. OpenPAM code is
much smaller vs Linux-PAM and owl's tcb has support for OpenPAM.

Daniel