[pkg-apparmor] Bug#770788: Bug#770788: Patch: updated usr.bin.passwd profile

parspes parspes at gmail.com
Tue Nov 25 00:54:56 UTC 2014 

 Thanks for the input, I am not an expert on the program myself nor a
C programmer.

> +  capability fsetid,
>
> Any idea what passwd would be doing that it would need this capability?

 Passwd requests the fsetid capability when called by the adduser
program as root on my Debian system, why exactly I am not certain.

> +  /etc/nshadow rw,
>
> Similar question about nshadow. It looks to be a file left around from
> running pwconv; why would passwd be making use of it? Does passwd have
> the ability to do shadow conversion, too?

 Pconv, yes - one of the Debian update packages runs pconv when
updating either the passwd program or the debian-base files I recall.
Perhaps that should be left out, although I hate to break an update.

> +  /proc/*/loginuid r,
>
> I'm actually surprised we don't see more of this. A better rule would
> probably be:
>
> +  @{PROC}/@{pid}/loginuid r,

Ok, missed the @{pid} in kernelvars, and left out the @{PROC} variable
- a better rule is always better.


On 11/24/14, Steve Beattie <steve at nxnw.org> wrote:
> Hi,
>
> Looking at what's upstream, it appears that the difference between your
> version and upstream is the following diff. I have some questions about
> a couple of the additions:
>
> --- upstream/usr.bin.passwd	2014-06-26 15:13:56.154844301 -0700
> +++ new/usr.bin.passwd	2014-11-24 14:08:13.307951734 -0800
> @@ -1,5 +1,4 @@
> -# vim:syntax=apparmor
> -# Last Modified: Sat Jan  6 09:35:33 2007
> +# Last Modified: Fri Feb 28 19:31:33 2014
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2006 Volker Kuhlmann
> @@ -17,19 +16,27 @@
>    #include <abstractions/base>
>    #include <abstractions/consoles>
>    #include <abstractions/nameservice>
> +  #include <abstractions/wutmp>
>
> This looks fine, I think.
>
>    capability chown,
> +  capability fsetid,
>
> Any idea what passwd would be doing that it would need this capability?
> I'm unclear why passwd would ever be messing with the permissions on a
> setuid/setgid file or directory.
>
>    capability sys_resource,
>
> -  /etc/.pwd.lock w,
> +
> +
> +  /etc/.pwd.lock wk,
>
> Looks fine.
>
> +  /etc/nshadow rw,
>
> Similar question about nshadow. It looks to be a file left around from
> running pwconv; why would passwd be making use of it? Does passwd have
> the ability to do shadow conversion, too?
>
>    /etc/pwdutils/logging r,
>    /etc/shadow rwl,
>    /etc/shadow.old rwl,
>    /etc/shadow.tmp?????? rwl,
> +  /proc/*/loginuid r,
>
> I'm actually surprised we don't see more of this. A better rule would
> probably be:
>
> +  @{PROC}/@{pid}/loginuid r,
>
> since I doubt passwd is looking at other process' loginuid.
>
>    /usr/bin/passwd mr,
>    /usr/lib/pwdutils/lib*.so* mr,
>    /usr/lib64/pwdutils/lib*.so* mr,
>    /usr/share/cracklib/pw_dict.hwm r,
>    /usr/share/cracklib/pw_dict.pwd r,
>    /usr/share/cracklib/pw_dict.pwi r,
> +
>  }
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
>

More information about the pkg-apparmor-team mailing list