Merge unix-chkpwd: Add read capability to profile

Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read caability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre <valentin.lefebvre@suse.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1685 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 01:57:43 +00:00 · 2025-05-13 16:00:21 +00:00 · 2025-05-13 16:00:21 +00:00 · 84c3e629e4
commit 84c3e629e4
parent c8dc701666 556396a172
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/unix-chkpwd
+++ b/profiles/apparmor.d/unix-chkpwd
@ -17,6 +17,8 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {

  # To write records to the kernel auditing log.
  capability audit_write,
+  # To read shadow with 000 permissions.
+  capability dac_read_search,

  network netlink raw,