1 |
Attached is, hopefully, the final version of the chroot patch for |
2 |
shadow. In it, I've included chroot support for all relevant utilities. |
3 |
|
4 |
Given that most of the utilities that use PAM do so for authentication |
5 |
only, instead of disabling it when used with the --chroot flag, I've |
6 |
moved the relevant code to run before chroot is called. It appears less |
7 |
dependent on where it is called than I had first suspected. |
8 |
|
9 |
The exception to this is passwd, chpasswd, and newusers which use PAM to |
10 |
do the actual password encryption. I've altered these to fall back to |
11 |
using shadow functions (the default when not compiled with PAM support) |
12 |
while using --chroot. I'll admit it looks a little ugly, but it doesn't |
13 |
seem like it can be helped. I have tested these, and they work fine |
14 |
(though before using the --chroot flag, ideally, $ROOT/etc/login.defs |
15 |
file should define the same encryption method as |
16 |
$ROOT/etc/pam.d/system-auth). |
17 |
|
18 |
Instead of having a whole lot of "if (chroot_flg)" tests scattered |
19 |
throughout the source files, I've instead made ample use of the |
20 |
"--wrap=" ldflag to wrap calls to pertinent libc functions into a |
21 |
wrapper that checks if the chroot flag is set (still have to use the |
22 |
"if (chroot_flg)" tests in passwd, chpasswd, and newusers, though). |
23 |
|
24 |
Having examined how selinux is used in shadow, I had to disable its use |
25 |
in useradd, userdel, and usermod when using chroot. It calls on execve |
26 |
after alteration of the database files, which as far as i can tell, |
27 |
would fail. And even if it was hacked to succeed, it would likely |
28 |
either alter the build system or fail after trying load cross-compiled |
29 |
libs. In any event, --chroot with selinux could only benefit a selinux |
30 |
system cross-compiling a selinux system. |
31 |
|
32 |
I've tested all related utilities with various arguments and found them |
33 |
all functional, with and without the --chroot flag. |
34 |
|
35 |
-- Peter Levine |