VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move the call to pam_motd before pam_selinux open

Browse Source 
pam_selinux calls setexeccon() with the context of the user, that means
that the first execve() after the call to "pam_selinux open" will be
executed in the user's context.

As pam_motd in debian calls system() to run run-parts to generate the
motd dynamically we need to be sure that this is done before that so it
runs in the context of the login executable.
This commit is contained in:
Laurent Bigonville
2019-09-03 16:48:39 +02:00
parent 9bda99f55d
commit 4d8a10d86c
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
debian/login.pam vendored
View File

@@ -26,9 +26,19 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
# Sets the loginuid process attribute
session required pam_loginuid.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
@@ -71,13 +81,6 @@ session required pam_limits.so
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#