Bug ID | 1162950 |
---|---|
Summary | AUDIT-1: pam: mode of /sbin/unix*_chkpwd |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | josef.moellers@suse.com |
Reporter | matthias.gerstner@suse.com |
QA Contact | qa-bugs@suse.de |
CC | jsegitz@suse.com, malte.kraus@suse.com, security-team@suse.de |
Found By | --- |
Blocker | --- |
In the proactive security we noticed that /sbin/unix_chkpwd and /sbin/unix2_chkpwd are installed setuid-root per our long standing entries in our permissions package configuration. The following mode and ownership are set: -rwsr-xr-x 1 root shadow 15K 6. Nov 14:41 /sbin/unix2_chkpwd -rwsr-xr-x 1 root shadow 27K 6. Nov 14:41 /sbin/unix_chkpwd The programs are installed with privileges to allow them to check against password hashes in /etc/shadow. /etc/shadow is actually owned by the shadow group: -rw-r----- 1 root shadow 1.1K 26. Jul 2019 /etc/shadow So the question we have is why unix*_chkpwd aren't installed setgid-shadow instead of setuid-root? It looks like this would be sufficient. The current setting with unix_chkpwd being owned by the shadow group but also have the setuid-root bit doesn't make sense in any case. I you can confirm that installing them setgid-shadow is sufficient then we can adjust the permissions configuration accordingly. Thank you.