Thread: Re: [Audit-test-developer] [PATCH 16/19] libpam, tp: loginuid fails if already set for current sess (Page 3)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

----- Original Message -----
> On 08/29/13 08:41, Miroslav Vadkerti wrote:
> > Hi Linda, let me try to explain in more detail
> > 
> > ----- Original Message -----
> >> On 08/21/13 12:24, Jiri Jaburek wrote:
> >>> From: Miroslav Vadkerti <mva...@re...>
> >>>
> >>> In recent RHEL7 kernel changes the loginuid call fails with
> >>> pam_loginuid where loginuid already set in session.
> >>>
> >>> This fix temporarily disables pam_loginuid in /etc/pam.d/login
> >>> as a workaround. This has no effect on testing purpose of
> >>> this test.
> >>>
> >>> The check for auid in augrok is not needed for this test.
> >>> The loginuid remains unchanged because of this workaround.
> >>
> >> Sorry, but I don't understand what you're saying here.
> >>
> >> What's broken?
> > In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set.
> > This
> > is a change in behavior compared to RHEL6 where this worked. This change is
> > not a bug
> > but a feature - as I was told from our developers.
> 
> That's bizarre.  I wonder what else that's going to break - beyond just the
> test cases.  Does it really cause the login to fail or does it just not
> update
> the auid?  Causing the login to fail doesn't seem right.

Well this change relates to systemd and it is more like a feature [1]. As for the things that
might break it is generally all services that support login via PAM. These all need now to be run 
via systemd to work. We did not find anything else that would break because of this change in the test suite. 

The login won't fail if used normally (via mingetty/agetty on consoles). The way we are testing the login command is not 
a supported way as I was told by our developer that maintains util-linux-ng. I know this worked somehow
for RHEL6 and earlier. The command is not intended to be run manually.

Sorry for not posting examples earlier - the pam session will kick you out like this [2], so you wan't be able
to login.

I'm thinking that maybe we could use telnet server run from systemd that should use login command. I will also check
this possibility. Of course installing telnet-server would break the evaluated configuration AFAICT, but maybe we could
do this only for the testing or distribute a small telnet server for this purpose. If it would work.

> 
> > As a consequence all tests that
> > use login command (in expect snippets) will fail.
> > 
> >> Why is this workaround ok?
> >> Why don't we need to check the auid when having it set correctly
> >> is an important part of logging in?
> > I think it is enough to test the pam_loginuid functionality with one login
> > mechanism.
> > In current upstream code this is tested only with the tests that this patch
> > touches
> > using login command. The truth is I believed also other login mechanism
> > (ssh) is used to check
> > the correct auid value. So this patch set will need more work. I would
> > suggest to move
> > the currently removed auid testing to the ssh tests. This should be
> > sufficient for checking
> > the correct functionality of pam_loginuid.
> 
> I agree that we don't need to test things in multiple places.  We have other
> tests for pam_loginuid, such as fail-safe/tests/test_loginuid.bash.  It uses
> ssh
> to verify that users can't log in if auditd isn't running, which is something
> that is enforced with that pam module.  We could have a test case
> that uses ssh and explicitly tests auid as a libpam test.

I will try to come up with a patch in libpam for pam_loginuid auid functionality
in the next round of our patches. This may come handy later if we will not be able
to properly workaround this problem.

> 
> >> If something has changed causing us to no longer have a valid
> >> login test, I'd rather see the test fail until we do have a valid
> >> login test.
> > I think when we introduce the auid testing part to the ssh tests the login
> > testing is again
> > on pair with the current upstream code.
> 
> What's bothering me here is that these login tests are supposed to test the
> pam configuration for login, and the first thing it does is modify the pam
> configuration for login to not be in the evaluated configuration.  It seems
> to me like we no longer have a good set of tests for login.  For example, if
> the system didn't have that session line in /etc/pam.d/login, how would we
> know?
> The tests would succeed but the system would in fact be broken.

Currently I do not see any other way how to test with login command as the one proposed.
I will try to discuss this more with our developers and report back.

Regarding the missing session line in /etc/pam.d/login we could check before running
the test if pam_loginuid is available in the configuration. But lets keep that conversation
for later time.

> 
> > Hopefully my intentions are more clear now :)
> 
> They are, and hopefully my concerns are clearer too.  I think we're going
> to have to figure out how to test login in the evaluated configuration.
> In the meantime, I think these tests should just fail if it doesn't work.

Yes they are. Lets remove this patch for now.

[1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=633b45454503489209b0d9a45f9e3cd1b852c614
[2]  
# expect -c '
>     spawn login
>     sleep 1
>     expect -nocase {login: $} {send "tester\r"}
>     expect -nocase {password: $} {send "tester\r"}
>     expect -nocase {level} {send "\r"}
>     send "PS1=:\\::\r"
>     expect {:::$} {close; wait}'
spawn login
rhel7cc login: tester
Password: 
Unable to get valid context for tester
Cannot make/remove an entry for the specified session

/M

> 
> -- ljk
> 
> > 
> > /M
> > 
> >>
> >> -- ljk
> >>
> >>>
> >>> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> >>> ---
> >>>  audit-test/libpam/tests/test_login.bash                |  4 ++++
> >>>  audit-test/libpam/tests/test_mls_default_login.bash    |  9 +++++++--
> >>>  audit-test/libpam/tests/test_mls_level_login.bash      |  9 +++++++--
> >>>  audit-test/libpam/tests/test_mls_level_login_fail.bash | 14
> >>>  +++++++++++---
> >>>  audit-test/libpam/tests/test_namespace.bash            |  9 +++++++--
> >>>  audit-test/trustedprograms/tests/test_lpq.bash         |  5 +++++
> >>>  6 files changed, 41 insertions(+), 9 deletions(-)
> >>>
> >>> diff --git a/audit-test/libpam/tests/test_login.bash
> >>> b/audit-test/libpam/tests/test_login.bash
> >>> index 3d05afa..d834900 100755
> >>> --- a/audit-test/libpam/tests/test_login.bash
> >>> +++ b/audit-test/libpam/tests/test_login.bash
> >>> @@ -26,7 +26,11 @@ chmod 666 $localtmp
> >>>  
> >>>  # turn off screen in /etc/profile
> >>>  backup /etc/profile
> >>> +backup /etc/pam.d/login
> >>>  sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>>  
> >>>  # if in LSPP mode, map the TEST_USER to staff_u
> >>>  if [[ $PPROFILE == "lspp" ]]; then
> >>> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash
> >>> b/audit-test/libpam/tests/test_mls_default_login.bash
> >>> index 6fca015..ac7f2b7 100755
> >>> --- a/audit-test/libpam/tests/test_mls_default_login.bash
> >>> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> >>> @@ -44,6 +44,11 @@ fi
> >>>  # use backup (and automatic restore) to work around this
> >>>  backup /var/run/utmp
> >>>  
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +backup /etc/pam.d/login
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>> +
> >>>  # test
> >>>  (
> >>>      export localtmp
> >>> @@ -63,11 +68,11 @@ pts=${pts##*/}
> >>>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts
> >>>  res=success.*"
> >>>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> >>>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> >>>  	subj=$login_context || exit_fail
> >>>  # Check for ROLE_ASSIGN event for testuser
> >>>  augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range
> >>>  acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0
> >>>  new-seuser=staff_u
> >>>  new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r
> >>>  new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
> >>>  # Check for USER_ROLE_CHANGE for login command
> >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> >>> res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> >>> res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
> >>>  
> >>>  exit_pass
> >>> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash
> >>> b/audit-test/libpam/tests/test_mls_level_login.bash
> >>> index 436bcda..063647f 100755
> >>> --- a/audit-test/libpam/tests/test_mls_level_login.bash
> >>> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> >>> @@ -42,6 +42,11 @@ fi
> >>>  # use backup (and automatic restore) to work around this
> >>>  backup /var/run/utmp
> >>>  
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +backup /etc/pam.d/login
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>> +
> >>>  # test
> >>>  (
> >>>      export localtmp
> >>> @@ -68,7 +73,7 @@ fi
> >>>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
> >>>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> >>>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> >>>  	subj=$login_context || exit_fail
> >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*"
> >>> auid=$auid || exit_fail
> >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" ||
> >>> exit_fail
> >>>  exit_pass
> >>> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> >>> b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> >>> index 92562f9..ba04604 100755
> >>> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> >>> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> >>> @@ -42,6 +42,11 @@ fi
> >>>  # use backup (and automatic restore) to work around this
> >>>  backup /var/run/utmp
> >>>  
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +backup /etc/pam.d/login
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>> +
> >>>  # test
> >>>  (
> >>>      export localtmp
> >>> @@ -52,11 +57,14 @@ backup /var/run/utmp
> >>>  	expect -nocase {level} {send "Y\r"}
> >>>  	expect -nocase {role:} {send "\r"}
> >>>  	expect -nocase {level:} {send "s15\r"}
> >>> -	expect -nocase {"authentication failure"} {close; wait}'
> >>> +	expect {
> >>> +		-nocase {"authentication failure"} {close; wait}
> >>> +		-nocase {"Cannot make/remove"} {close; wait}
> >>> +	}'
> >>>  )
> >>>  
> >>>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> >>>  	subj=$login_context || exit_fail
> >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*"
> >>> auid=$auid || exit_fail
> >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam:
> >>> default-context=$def_context
> >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" ||
> >>> exit_fail
> >>>  exit_pass
> >>> diff --git a/audit-test/libpam/tests/test_namespace.bash
> >>> b/audit-test/libpam/tests/test_namespace.bash
> >>> index 6fb20da..6642350 100755
> >>> --- a/audit-test/libpam/tests/test_namespace.bash
> >>> +++ b/audit-test/libpam/tests/test_namespace.bash
> >>> @@ -59,6 +59,11 @@ backup /var/run/utmp
> >>>  backup /etc/security/namespace.conf
> >>>  echo "/tmp /tmp-parent/tmp-inst/ level root,adm" >
> >>>  /etc/security/namespace.conf
> >>>  
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +backup /etc/pam.d/login
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>> +
> >>>  tmpinstdir=/tmp-parent/tmp-inst/
> >>>  tmpnewfile=/tmp/newfile
> >>>  
> >>> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S
> >>> open
> >>> -F uid=$auid || \
> >>>  )
> >>>  # Check the path and context in the audit record.
> >>>  augrok type==SYSCALL \
> >>> -	subj=$s0_context auid=$auid success=yes \
> >>> +	subj=$s0_context success=yes \
> >>>  	name=$tmpnewfile obj=$s0_obj\
> >>>  	|| exit_fail "missing audit record"
> >>>  
> >>> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
> >>>  
> >>>  # Check the path and context in the audit record.
> >>>  augrok --seek=$log_mark type==SYSCALL \
> >>> -	subj=$s2_context auid=$auid success=yes \
> >>> +	subj=$s2_context success=yes \
> >>>  	name=$tmpnewfile obj=$s2_obj\
> >>>  	|| exit_fail "missing audit record"
> >>>  
> >>> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash
> >>> b/audit-test/trustedprograms/tests/test_lpq.bash
> >>> index 0cbd45f..ee0f60d 100755
> >>> --- a/audit-test/trustedprograms/tests/test_lpq.bash
> >>> +++ b/audit-test/trustedprograms/tests/test_lpq.bash
> >>> @@ -50,6 +50,11 @@ backup /var/run/utmp
> >>>  semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
> >>>    exit_error "unable to set $TEST_USER to staff_u"
> >>>  
> >>> +# In RHEL7 the pam_loginuid fails if loginuid already set
> >>> +# for the purpose of this test we disable it temporarily
> >>> +backup /etc/pam.d/login
> >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >>> +
> >>>  # test
> >>>  prepend_cleanup rm -f $CON1OUT $CON2OUT
> >>>  runcon $LPQ1CON lpq -P $printer > $CON1OUT
> >>>
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> >> Discover the easy way to master current and previous Microsoft
> >> technologies
> >> and advance your career. Get an incredible 1,500+ hours of step-by-step
> >> tutorial videos with LearnDevNow. Subscribe today and save!
> >> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Audit-test-developer mailing list
> >> Aud...@li...
> >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
> >>
> > 
> 
> 

-- 
Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic

Thread: Re: [Audit-test-developer] [PATCH 16/19] libpam, tp: loginuid fails if already set for current sess (Page 3)

Test suite for Linux audit and related security functionality

audit-test-developer