Bug ID 1162950
Summary AUDIT-1: pam: mode of /sbin/unix*_chkpwd
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee josef.moellers@suse.com
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC jsegitz@suse.com, malte.kraus@suse.com, security-team@suse.de
Found By ---
Blocker --- 

In the proactive security we noticed that /sbin/unix_chkpwd and
/sbin/unix2_chkpwd are installed setuid-root per our long standing entries in
our permissions package configuration. The following mode and ownership are
set:

-rwsr-xr-x 1 root shadow 15K  6. Nov 14:41 /sbin/unix2_chkpwd
-rwsr-xr-x 1 root shadow 27K  6. Nov 14:41 /sbin/unix_chkpwd

The programs are installed with privileges to allow them to check against
password hashes in /etc/shadow. /etc/shadow is actually owned by the shadow
group:

-rw-r----- 1 root shadow 1.1K 26. Jul 2019  /etc/shadow

So the question we have is why unix*_chkpwd aren't installed setgid-shadow
instead of setuid-root? It looks like this would be sufficient.

The current setting with unix_chkpwd being owned by the shadow group but also
have the setuid-root bit doesn't make sense in any case.

I you can confirm that installing them setgid-shadow is sufficient then we can
adjust the permissions configuration accordingly. Thank you.

You are receiving this mail because: