[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (f

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (f

From:	Jaroslav Škarvada
Subject:	[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (for SELinux compatiblity)
Date:	Fri, 09 Jan 2015 14:31:45 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0

URL:
  <http://savannah.nongnu.org/support/?108723>

                 Summary: RFE: Configurable lock file location (for SELinux
compatiblity)
                 Project: OATH Toolkit
            Submitted by: yarda
            Submitted on: Fri 09 Jan 2015 02:31:44 PM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

Currently the pam_oath module doesn't work with SELinux out of the box,
because it creates lock file when updating usersfile. The problem is that it
creates the lock file in the same directory the usersfile is located and it's
mostly not allowed by SELinux rules to create new files by pam modules.

It seems it is not possible to remove the external lock file and use only
advisory locking on usersfile, because it will introduce race condition.

So I tried to extend the liboath API by oath_set_lockfile_path call which sets
the lockfile location for all successive API calls. If not used or the
lockfile path is set to NULL, previous behaviour (i.e. no global lock, only
local usersfile lock) is used. I also extended pam module to use this new API
call and create its global lock as: /var/lock/pam_oath.lock. This should
resolve the SELinux problem. I think using one global lock for pam module
shouldn't be performance bottleneck in most cases, but for cases where it is,
I also added lockfile pam module parameter, so arbitrary usersfile/lockfiles
(without one global lock) can be also used.

Attached patch is proof of concept, feel free to change/rework it as needed.

There is Fedora bug report about this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1178036



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 09 Jan 2015 02:31:44 PM GMT  Name: oath-toolkit-2.4.1-lockfile.patch
 Size: 5kB   By: yarda
Proposed fix
<http://savannah.nongnu.org/support/download.php?file_id=32799>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/support/?108723>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (for SELinux compatiblity), Jaroslav Škarvada <=

Prev by Date: [OATH-Toolkit-help] [sr #108722] pam_oath/tests/expect.oath is missing from the archive
Next by Date: [OATH-Toolkit-help] oath-toolkit patchs related to usersfile parsing & writing
Previous by thread: [OATH-Toolkit-help] [sr #108722] pam_oath/tests/expect.oath is missing from the archive
Next by thread: [OATH-Toolkit-help] oath-toolkit patchs related to usersfile parsing & writing
Index(es):
- Date
- Thread