unix-chkpwd: Add read capability to profile

Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read caability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre <valentin.lefebvre@suse.com> (cherry picked from commit 556396a172d09ea032404c7b346f4cf54a949a4e) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 10:07:12 +00:00 · 2025-05-12 15:53:33 +00:00 · 2025-05-12 15:53:33 +00:00 · 104d601657
commit 104d601657
parent b50ee98352
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/unix-chkpwd
+++ b/profiles/apparmor.d/unix-chkpwd
@ -17,6 +17,8 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {

  # To write records to the kernel auditing log.
  capability audit_write,
+  # To read shadow with 000 permissions.
+  capability dac_read_search,

  network netlink raw,