felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): unix-chkpwd: Add read capability to profile

Browse source 
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read capability to the unix-chkpwd profile allows it to
function properly. See bug report [1].

[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678

Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
This commit is contained in:
Alexandre Pujol 2025-05-14 22:49:58 +02:00
parent 415c09ca88
commit 877452519d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/profiles-s-z/unix-chkpwd
View file

@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability audit_write, capability audit_write,
capability dac_read_search, # To read shadow with 000 permissions.
network netlink raw, network netlink raw,