mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 10:07:12 +00:00
unix-chkpwd: Add read capability to profile
Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read caability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
This commit is contained in:
vlefebvre
parent
2e875f22fe
commit
556396a172
@ -17,6 +17,8 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
|||||||
|
|
||||||
# To write records to the kernel auditing log.
|
# To write records to the kernel auditing log.
|
||||||
capability audit_write,
|
capability audit_write,
|
||||||
|
# To read shadow with 000 permissions.
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user