feat(profile): unix-chkpwd: Add read capability to profile
Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read capability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
This commit is contained in:
Alexandre Pujol
parent
415c09ca88
commit
877452519d
1 changed files with 1 additions and 0 deletions
|
|
@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
capability dac_read_search, # To read shadow with 000 permissions.
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue