[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (f
From: |
Jaroslav Škarvada |
Subject: |
[OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (for SELinux compatiblity) |
Date: |
Fri, 09 Jan 2015 14:31:45 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 |
URL:
<http://savannah.nongnu.org/support/?108723>
Summary: RFE: Configurable lock file location (for SELinux
compatiblity)
Project: OATH Toolkit
Submitted by: yarda
Submitted on: Fri 09 Jan 2015 02:31:44 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
Currently the pam_oath module doesn't work with SELinux out of the box,
because it creates lock file when updating usersfile. The problem is that it
creates the lock file in the same directory the usersfile is located and it's
mostly not allowed by SELinux rules to create new files by pam modules.
It seems it is not possible to remove the external lock file and use only
advisory locking on usersfile, because it will introduce race condition.
So I tried to extend the liboath API by oath_set_lockfile_path call which sets
the lockfile location for all successive API calls. If not used or the
lockfile path is set to NULL, previous behaviour (i.e. no global lock, only
local usersfile lock) is used. I also extended pam module to use this new API
call and create its global lock as: /var/lock/pam_oath.lock. This should
resolve the SELinux problem. I think using one global lock for pam module
shouldn't be performance bottleneck in most cases, but for cases where it is,
I also added lockfile pam module parameter, so arbitrary usersfile/lockfiles
(without one global lock) can be also used.
Attached patch is proof of concept, feel free to change/rework it as needed.
There is Fedora bug report about this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1178036
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 09 Jan 2015 02:31:44 PM GMT Name: oath-toolkit-2.4.1-lockfile.patch
Size: 5kB By: yarda
Proposed fix
<http://savannah.nongnu.org/support/download.php?file_id=32799>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?108723>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [OATH-Toolkit-help] [sr #108723] RFE: Configurable lock file location (for SELinux compatiblity),
Jaroslav Škarvada <=