[pkg-apparmor] Bug#770788: Bug#770788: Patch: updated usr.bin.passwd profile

Steve Beattie steve at nxnw.org
Mon Nov 24 23:31:51 UTC 2014 

Hi,

Looking at what's upstream, it appears that the difference between your
version and upstream is the following diff. I have some questions about
a couple of the additions:

--- upstream/usr.bin.passwd	2014-06-26 15:13:56.154844301 -0700
+++ new/usr.bin.passwd	2014-11-24 14:08:13.307951734 -0800
@@ -1,5 +1,4 @@
-# vim:syntax=apparmor
-# Last Modified: Sat Jan  6 09:35:33 2007
+# Last Modified: Fri Feb 28 19:31:33 2014
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006 Volker Kuhlmann
@@ -17,19 +16,27 @@
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
+  #include <abstractions/wutmp>

This looks fine, I think.

   capability chown,
+  capability fsetid,

Any idea what passwd would be doing that it would need this capability?
I'm unclear why passwd would ever be messing with the permissions on a
setuid/setgid file or directory.

   capability sys_resource,
 
-  /etc/.pwd.lock w,
+
+
+  /etc/.pwd.lock wk,

Looks fine.

+  /etc/nshadow rw,

Similar question about nshadow. It looks to be a file left around from
running pwconv; why would passwd be making use of it? Does passwd have
the ability to do shadow conversion, too?

   /etc/pwdutils/logging r,
   /etc/shadow rwl,
   /etc/shadow.old rwl,
   /etc/shadow.tmp?????? rwl,
+  /proc/*/loginuid r,

I'm actually surprised we don't see more of this. A better rule would
probably be:

+  @{PROC}/@{pid}/loginuid r,

since I doubt passwd is looking at other process' loginuid.

   /usr/bin/passwd mr,
   /usr/lib/pwdutils/lib*.so* mr,
   /usr/lib64/pwdutils/lib*.so* mr,
   /usr/share/cracklib/pw_dict.hwm r,
   /usr/share/cracklib/pw_dict.pwd r,
   /usr/share/cracklib/pw_dict.pwi r,
+
 }

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20141124/18cab01c/attachment.sig>

More information about the pkg-apparmor-team mailing list