On Friday 01/09 at 15:33 -0500, Paul Moore wrote: > On Thursday, January 08, 2015 05:44:48 PM Calvin Owens wrote: > > This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces". > > > > This commit incorrectly assumes that libpam treats -ECONNREFUSED as > > an indicator that audit is disabled, and -EPERM or any other error > > as a fatal error that prevents the login from continuing. > > > > The opposite is in fact true: -EPERM allows the login to continue, > > and -ECONNREFUSED causes it to refuse the login. This behavior has > > been unchanged in upstream linux-pam since at least 2008. > > > > Reverting this change allows libpam to again work as expected in > > non-init user namespaces. > > > > Signed-off-by: Calvin Owens <calvinowens@xxxxxx> > > Cc: stable@xxxxxxxxxxxxxxx > > --- > > Relevant code in linux-pam: > > https://urldefense.proofpoint.com/v1/url?u=https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c%23n56&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=oEb120Cp%2FehdhuY2M7qjelK5yT8IPB5WC2nEG4obDh4%3D%0A&m=vyJMOR0vSvoBryKRT8mBRsUpUQElUD3Fa4ZBI5Vaf%2BA%3D%0A&s=4f34b8ee3ea296b034ab84da1d7f0b738cd431081878afd6f85203507a722ebe > > > > kernel/audit.c | 12 +----------- > > 1 file changed, 1 insertion(+), 11 deletions(-) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 80983df..656e8ce 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 > > msg_type) int err = 0; > > > > /* Only support initial user namespace for now. */ > > - /* > > - * We return ECONNREFUSED because it tricks userspace into thinking > > - * that audit was not configured into the kernel. Lots of users > > - * configure their PAM stack (because that's what the distro does) > > - * to reject login if unable to send messages to audit. If we return > > - * ECONNREFUSED the PAM stack thinks the kernel does not have audit > > - * configured in and will let login proceed. If we return EPERM > > - * userspace will reject all logins. This should be removed when we > > - * support non init namespaces!! > > - */ > > if (current_user_ns() != &init_user_ns) > > - return -ECONNREFUSED; > > + return -EPERM; > > While I haven't had reason to test this code lately, last I knew it was > working, what problems are you seeing Calvin? Also, with what distribution? An SSH authentication setup in LXC containers on CentOS broke with the original patch. My revert made it work again. I can dig up more detail about the specific setup if you're interested. Thanks, Calvin > -- > paul moore > www.paul-moore.com > -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html