New patch...I have added checks around the calls that deal with the tty. So if ttyn is an empty string (something had a heartache with it being NULL) then it skips the processing. It does appear to work but more testing is needed. Please review and comment. Now say if someone ran `newrole -l SystemHigh -- -c "su - foo"` in the background of a script, you would not be able to give su input as it is in the background and has no tty. su in this case exits gracefully I guess you could say. My point is that if you have an application that needs to run from newrole, in the background AND requires user input, you will not be able to give the application input while it is in the background and have it work successfully. Example: foo.sh --------------- #!/bin/bash ./bar.sh & --------------- bar.sh --------------- #!/bin/bash su - root -c /bin/date --------------- su exits because there is no tty for input. So is chasing down having newrole run in a pseudo tty in the background and accept input worth the time? Thanks, Tim -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Thursday, December 13, 2007 10:08 AM To: Xavier Toth Cc: Reed, Tim (US SSA); SE Linux Subject: Re: newrole in the background On Thu, 2007-12-13 at 08:41 -0600, Xavier Toth wrote: > On Dec 13, 2007 8:25 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2007-12-13 at 04:30 -0800, Reed, Tim (US SSA) wrote: > > > Good point. That is why I was looking for test cases or something. > > > > > > I am going to explore Stephen suggestion more of making the lack of a > > > tty non-fatal. But won't we want newrole to have a tty so that it can > > > send/receive input from the user? That is the reason why I was having > > > it creating a pseudo tty. > > > > > > Suggestions..... > > > > You said you wanted to be able to use newrole while detached from any > > tty, thus no input is possible there. Right? > > > > So if you have newrole or the subsequent application use a pam module > > that requires a tty, it is going to fail regardless in that situation. > > Your situation presumes that you aren't using pam modules that require a > > tty. > > > > Only thing to check is to make sure that the pam modules fail gracefully > > in that situation and newrole correctly exits with an error in that > > case. > > > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > Right, but doesn't pam_unix exec unix_chkpwd and wait for it to exit? > Or will unix_chkpwd fail because there isn't a tty? That's what we need to check - that the pam module or unix_chkpwd correctly handle the case where there is no tty. And that is better than having it block indefinitely on a pty that we've created that will never provide any input at all... -- Stephen Smalley National Security Agency
Attachment:
newrole_no_tty_2.patch
Description: newrole_no_tty_2.patch
