MAC and pam_nologin (was Re: man-pages-3.15 is released)

[Tetsuo Handa]

Hello.

The "man 5 nologin" says that:

  If the file /etc/nologin *exists*, login (1) will allow access only to root.
  Other users will be shown the contents of this file and their logins will be
  refused.

But this description becomes inaccurate when MAC (e.g. SELinux) is enabled.

MAC can deny open("/etc/nologin", O_RDONLY) by root user. Thus,

  # ln /etc/shadow /etc/nologin

will create /etc/nologin which is *not readable* by login(1).
As a result, non-root user's logins are permitted while /etc/nologin *exists*.

I guess pam_nologin is using a code like

  fp = fopen("/etc/nologin", "r");
  if (fp)
     /* print the contents of /etc/nologin and reject login request. */

So, I think either one of below modifications is needed.

(1) Change the description of manpage like

  If the file /etc/nologin *is readable*, login (1) will allow access only to
  root. Other users will be shown the contents of this file and their logins
  will be refused.

(2) Change the code of pam_nologin like

  fd = open("/etc/nologin", O_RDONLY);
  if (fd != EOF || errno != ENOENT)
     /* print the contents of /etc/nologin and reject login request. */

Which one is the better solution?

Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/