[Bug 339073] New: restricted shell rbash usage is broken in 10.3
https://bugzilla.novell.com/show_bug.cgi?id=339073 Summary: restricted shell rbash usage is broken in 10.3 Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: openSUSE 10.3 Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: robin.listas@telefonica.net QAContact: qa@suse.de Found By: --- First, Yast user management (gnome style) does not offer rbash in the drop list. If I manually type "/bin/rbash", it doesn't work because it is "/usr/bin/rbash" instead. Plus, yast warns that the choosen shell does not exist (when it does) and the user will fail. Ignoring this and creating the new user produces a user that can't run anything: not because the shell is wrong, but because the user gets the wrong path: PATH=/usr/lib/restricted/bin When typing any command, I get: cer3@nimrodel:~> ls -rbash: ls: command not found cer3@nimrodel:~> /etc/passwd entry is: cer3:x:2000:100:Carlos E. R. M.,testing user:/home/cer3:/usr/bin/rbash I file this a security bug because I consider rbash a security feature, and being forced to use a normal shell is a security risk. This system was updated to 10.3 from 10.2 (boxed set I got as a "present" from you for collaboration with beta testing). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Critical |Normal Status|NEW |RESOLVED Resolution| |INVALID --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2007-11-05 05:29:29 MST --- A restricted shell doesn't make sense without a restricted PATH. That was a problem in previous default configurations. So you need to put a symlink to all commands you want to allow to /usr/lib/restricted/bin yourself now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c2 Carlos Robinson <robin.listas@telefonica.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #2 from Carlos Robinson <robin.listas@telefonica.net> 2007-11-05 07:17:21 MST --- Ok... that's just a change, then. What about Yast saying that the shell is invalid and doesn't exist? Surely that's a bug. Perhaps you can forward this bugzilla to the Yast folks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |yast2-maintainers@suse.de Status|REOPENED |NEW Component|Security |YaST2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c4 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |lnussel@novell.com --- Comment #4 from Jiří Suchomel <jsuchome@novell.com> 2007-11-05 14:43:06 MST --- YaST is _not_ saying that shell you have entered does not exists, it is saying: "If you select a nonexistent shell, the user may be unable to log in. Use this shell?" which is a very different message. It shows that YaST doesn't know that shell. Ludwig, do you know why /bin/rbash is not listed in /etc/shells? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c5 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, werner@novell.com, | |ro@novell.com Status|NEEDINFO |NEW Info Provider|lnussel@novell.com | Summary|restricted shell rbash usage is broken in 10.3 |rbash not in /etc/shells --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2007-11-06 01:16:39 MST --- I don't know. I can't really judge whether it would be a good idea to add it either. Not having rbash in /etC/shells means that - a user cannot use chsh to set the login shell to rbash which means he cannot accidently lock himself into a restricted environment - pam_shells will refuse authentication ie a user with rbash cannot authenticate with pure-ftpd or vsftpd. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c6 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsuchome@novell.com AssignedTo|jsuchome@novell.com |werner@novell.com --- Comment #6 from Jiří Suchomel <jsuchome@novell.com> 2007-11-06 02:43:47 MST --- Anyway this is not YaST issue, yast2-users relies on the content of /etc/shells. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c7 Dr. Werner Fink <werner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|werner@novell.com |jsuchome@novell.com Severity|Normal |Minor --- Comment #7 from Dr. Werner Fink <werner@novell.com> 2007-11-06 03:35:23 MST --- Please remember Jiří: /suse/werner> rpm -qf /etc/shells aaa_base-10.3-90 /suse/werner> maintainer aaa_base ro@novell.com Beside this a restricted shell makes only sence with an restricted PATH otherwise the user of a restricted shell may escape by executing /bin/bash. It is on the system adiminstrator to add utilities like /bin/ls by setting the appropriate symbolic link to /usr/lib/restricted/bin . IMHO it is also the job of the system adiminstrator to use `useradd' with the option `-s /usr/bin/rbash' to add a restricted user. Nevertheless AFAICS the rbash *is* part of the /etc/shells: /suse/werner> grep rbash /etc/shells /usr/bin/rbash .. this is the same path as for the 10.2, if YaST does not find the rbash this is a bug of YaST. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c8 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jsuchome@novell.com |ro@novell.com --- Comment #8 from Ludwig Nussel <lnussel@novell.com> 2007-11-06 03:55:32 MST --- $ grep rbash /mounts/dist/unpacked/i386.full/etc/shells $ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c9 Dr. Werner Fink <werner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |223159 --- Comment #9 from Dr. Werner Fink <werner@novell.com> 2007-11-06 04:38:04 MST --- This bug depends on bug #223159 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339073#c10 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #10 from Ludwig Nussel <lnussel@novell.com> 2007-11-06 05:27:38 MST --- so bug 223159 is the reason why rbash is not in /etc/shells on 10.3. Ie a feature, not a bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com