headers
Paweł Hajdan, Jr. | 13 Jan 2010 09:27
Picon
Favicon

getting tcb patches into shadow

Hi! I'm interested in getting tcb (http://www.openwall.com/tcb/) support
into shadow. tcb is an interesting project (you can run shadow tools
with less privileges, and it's quite simple), and having a separate
patch to apply is hard to maintain.

Here's the most recent version of the patch I could find:

<http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/shadow-utils/current/SOURCES/shadow-4.1.4.2-avx-owl-tcb.patch?view=markup>

My plan isn't to just drop this code blob and run away. I'm willing to
split it into smaller chunks, incorporate your review comments etc.

I'm not a developer of tcb, and the project seems to be alive upstream,
but the shadow patch provided by tcb project is outdated. The one I
linked to above is more recent.

What do you think?

Paweł Hajdan jr


_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@...
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
Permalink | Reply |
headers
Paweł Hajdan, Jr. | 16 Jan 2010 22:53
Picon
Favicon

Re: getting tcb patches into shadow

On 1/13/10 9:27 AM, "Paweł Hajdan, Jr." wrote:
> Here's the most recent version of the patch I could find:
> 
> <http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/shadow-utils/current/SOURCES/shadow-4.1.4.2-avx-owl-tcb.patch?view=markup>

I've done some more testing, and the patch to shadow doesn't seem to be
necessary for basic tcb operation, and even with the patch tools like
adduser seem to be broken (you can't set password for the new user).

I'll investigate more, but it seems it would be possible to add only
some smaller changes to shadow to get it to fully work with tcb.

Stay tuned,
Paweł Hajdan jr


_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@...
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
Permalink | Reply |
headers
Paweł Hajdan, Jr. | 17 Jan 2010 18:42
Picon
Favicon

Re: getting tcb patches into shadow

On 1/16/10 10:53 PM, "Paweł Hajdan, Jr." wrote:
> I've done some more testing, and the patch to shadow doesn't seem to be
> necessary for basic tcb operation, and even with the patch tools like
> adduser seem to be broken (you can't set password for the new user).

I think it's confirmed: I got patched tcb to work with no patches
applied for shadow (everything in /etc/tcb, no /etc/shadow). Logging in
works, su works, passwd works. adduser is broken (few others probably
too), so some kind of patch for shadow would be needed.

I'm attaching a small patch to add tcb support to ./configure. If tcb is
present and enabled, WITH_TCB will be #defined. Please review the patch,
and apply if you like it. If you'd rather see a bigger chunk of code,
that's possible too (I'd have some questions then though).

Paweł Hajdan jr

--- configure.in.orig	2010-01-17 18:17:49.000000000 +0100
+++ configure.in	2010-01-17 18:32:46.000000000 +0100
 <at>  <at>  -250,6 +250,9  <at>  <at> 
 AC_ARG_WITH(skey,
 	[AC_HELP_STRING([--with-skey], [use S/Key support  <at> <: <at> default=no <at> :> <at> ])],
 	[with_skey=$withval], [with_skey=no])
+AC_ARG_WITH(tcb,
+	[AC_HELP_STRING([--with-tcb], [use tcb support (incomplete)  <at> <: <at> default=yes if found <at> :> <at> ])],
+	[with_tcb=$withval], [with_tcb=maybe])
 AC_ARG_WITH(libcrack,
 	[AC_HELP_STRING([--with-libcrack], [use libcrack  <at> <: <at> default=yes if found and if PAM not enabled <at> :> <at> ])],
 	[with_libcrack=$withval], [with_libcrack=no])
(Continue reading)

Permalink | Reply |
headers
Paweł Hajdan, Jr. | 25 Jan 2010 11:12
Picon
Favicon

Re: getting tcb patches into shadow

On 1/17/10 6:42 PM, "Paweł Hajdan, Jr." wrote:
> On 1/16/10 10:53 PM, "Paweł Hajdan, Jr." wrote:
>> I've done some more testing, and the patch to shadow doesn't seem to be
>> necessary for basic tcb operation, and even with the patch tools like
>> adduser seem to be broken (you can't set password for the new user).
> 
> I think it's confirmed: I got patched tcb to work with no patches
> applied for shadow (everything in /etc/tcb, no /etc/shadow). Logging in
> works, su works, passwd works. adduser is broken (few others probably
> too), so some kind of patch for shadow would be needed.

Thanks for applying the patch for configure.in. I got useradd and
userdel to work with tcb, as well as few other things. The attached
patch is not yet ready to apply, but feel free to comment whether this
is a good direction.

It's mostly based on the Mandriva patch, but with some changes required
to get it to work really.

Paweł Hajdan jr

Index: libmisc/copydir.c
===================================================================
--- libmisc/copydir.c	(revision 3088)
+++ libmisc/copydir.c	(working copy)
 <at>  <at>  -668,7 +668,7  <at>  <at> 
  *	At the end, it deletes the root directory itself.
  */
(Continue reading)

Permalink | Reply |
headers
Paweł Hajdan, Jr. | 29 Jan 2010 17:32
Picon
Favicon

Re: getting tcb patches into shadow

Okay, attached an updated patch. Please review it, as for me it's ready.
I can fix any remaining issues, but feel free to make some further
changes to make it better.

Paweł Hajdan jr

Index: libmisc/copydir.c
===================================================================
--- libmisc/copydir.c	(revision 3088)
+++ libmisc/copydir.c	(working copy)
 <at>  <at>  -668,7 +668,7  <at>  <at> 
  *	At the end, it deletes the root directory itself.
  */

-int remove_tree (const char *root)
+int remove_tree (const char *root, bool remove_root)
 {
 	char *new_name = NULL;
 	int err = 0;
 <at>  <at>  -721,7 +721,7  <at>  <at> 
 			/*
 			 * Recursively delete this directory.
 			 */
-			if (remove_tree (new_name) != 0) {
+			if (remove_tree (new_name, true) != 0) {
 				err = -1;
 				break;
 			}
 <at>  <at>  -740,7 +740,7  <at>  <at>
(Continue reading)

Permalink | Reply |
headers
Nicolas François | 29 Jan 2010 18:08
Favicon

Re: getting tcb patches into shadow

Hi,

On Fri, Jan 29, 2010 at 05:32:51PM +0100, phajdan.jr@... wrote:
> Okay, attached an updated patch. Please review it, as for me it's ready.
> I can fix any remaining issues, but feel free to make some further
> changes to make it better.

Not really a review, just some thoughts (and this will not prevent
committing anyway)

> Index: src/pwconv.c
> ===================================================================
> --- src/pwconv.c	(revision 3088)
> +++ src/pwconv.c	(working copy)
>  <at>  <at>  -133,6 +133,11  <at>  <at> 
>  
>  	OPENLOG ("pwconv");
>  
> +	if (getdef_bool("USE_TCB")) {
> +		fprintf(stderr, _("%s: can't work with tcb enabled\n"), Prog);
> +		fail_exit(E_FAILURE);
> +	}
> +

Is it impossible to implement a pwconv with TCP?
Or should it be something like "does not work yet with tcb enabled\n"?

> Index: src/vipw.c
> ===================================================================
> --- src/vipw.c	(revision 3088)
(Continue reading)

Permalink | Reply |
headers
Paweł Hajdan, Jr. | 30 Jan 2010 10:50
Picon
Favicon

Re: getting tcb patches into shadow

On 1/29/10 6:08 PM, Nicolas François wrote:
> Is it impossible to implement a pwconv with TCP?
> Or should it be something like "does not work yet with tcb enabled\n"?

I think it'd make pwconv/pwunconv overly complex if they had to deal
with tcb. We have tcb_convert/unconvert in tcb package to deal with
shadow<->tcb conversion. pwconv/unconv deal with shadow<->passwd conversion.

>> +		if (!shadowtcb_drop_priv())
>> +			vipwexit (_("failed to gain privileges"), errno, 1);
> 
> That's a failed to drop privileges.

Fixed.

>> +		if (stat(file, &st1))
>> +			vipwexit (_("failed to stat edited file"), errno, 1);
>> +		asprintf(&to_rename, "%s+", file);
> 
> asprintf is GNU specific, if it could be avoided, that would be better.

I removed its usage from all files except tcbfuncs.c (I just don't want
to make too changes at once; I think the next step could be to add an
replacement in tcbfuncs.c in case asprintf isn't available). Please note
that asprintf is easier to read and is also available on BSD.

> BTW, do you think the format should be described in shadow(5)?

I'm not sure what format you refer to. All tcb-specific things are
documented in tcb(5), and format of each tcb shadow file line is the
(Continue reading)

Permalink | Reply |
headers
Paweł Hajdan, Jr. | 13 Feb 2010 18:28
Picon
Favicon

Re: getting tcb patches into shadow

On 1/30/10 10:50 AM, "Paweł Hajdan, Jr." wrote:
> On 1/29/10 6:08 PM, Nicolas François wrote:
>> BTW, do you think the format should be described in shadow(5)?
> 
> I'm not sure what format you refer to. All tcb-specific things are
> documented in tcb(5), and format of each tcb shadow file line is the
> same as normal shadow line.
> 
> Attached the updated patch.

Are there any more concerns about the patch? If there are none, could
you please apply it? Sorry if it's already applied and I just missed that.

Paweł Hajdan jr


_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@...
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
Permalink | Reply |

Gmane