usr.bin.passwd profile fixes

* passwd -e LOGIN was failing * Allow execution of /usr/sbin/nscd See: bee77ffc29/lib/nscd.c (L23-L27) * Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter files (see https://www.openwall.com/passwdqc/) * Allow setuid & fsetid capabilities * Allow locking with /etc/shadow.PID & /etc/shadow.lock * Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
2025-08-30 13:58:22 +00:00 · 2025-03-02 16:51:33 +02:00 · 2025-03-02 16:51:33 +02:00 · ab1a455f05
commit ab1a455f05
parent bf2054d963
1 changed files with 9 additions and 0 deletions
--- a/profiles/apparmor/profiles/extras/usr.bin.passwd
+++ b/profiles/apparmor/profiles/extras/usr.bin.passwd
@ -22,6 +22,8 @@ include <tunables/global>

  capability chown,
  capability sys_resource,
+  capability setuid,
+  capability fsetid,

  /etc/.pwd.lock wk,
  /etc/pwdutils/logging r,
@ -29,6 +31,10 @@ include <tunables/global>
  /etc/shadow rwl,
  /etc/shadow.old rwl,
  /etc/shadow.tmp?????? rwl,
+  /etc/shadow.[0-9]* rwl,
+  /etc/shadow.lock rwl,
+  /etc/shadow- rw,
+  /etc/shadow+ rw,

  @{PROC}/@{pid}/loginuid r,

@ -38,6 +44,9 @@ include <tunables/global>
  /usr/share/cracklib/pw_dict.hwm r,
  /usr/share/cracklib/pw_dict.pwd r,
  /usr/share/cracklib/pw_dict.pwi r,
+  /etc/passwdqc.conf r,
+  /opt/passwdqc/*.pwq r,
+  /usr/sbin/nscd Px,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.passwd>