mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-libs/pam: Make /sbin/unix_chkpwd suid

Browse Source 
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
This commit is contained in:
Krzesimir Nowak 2020-08-22 17:07:26 +02:00 committed by Kai Lüke
parent 660d0f310b
commit a0156ce756
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild vendored
View File

@ -9,7 +9,7 @@ EAPI=7
MY_P="Linux-${PN^^}-${PV}" MY_P="Linux-${PN^^}-${PV}"
inherit autotools db-use fcaps toolchain-funcs multilib-minimal inherit autotools db-use toolchain-funcs multilib-minimal
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam" HOMEPAGE="https://github.com/linux-pam/linux-pam"
@ -100,6 +100,12 @@ multilib_src_install() {
multilib_src_install_all() { multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die find "${ED}" -type f -name '*.la' -delete || die
# Flatcar: The pam_unix module needs to check the password of
# the user which requires read access to /etc/shadow
# only. Make it suid instead of using CAP_DAC_OVERRIDE to
# avoid a pam -> libcap -> pam dependency loop.
fperms 4711 /sbin/unix_chkpwd
# tmpfiles.eclass is impossible to use because # tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop # there is the pam -> tmpfiles -> systemd -> pam dependency loop
@ -132,8 +138,4 @@ pkg_postinst() {
ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn " lsof / | egrep -i 'del.*libpam\\.so'"
ewarn "" ewarn ""
ewarn "Alternatively, simply reboot your system." ewarn "Alternatively, simply reboot your system."
# The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps cap_dac_override sbin/unix_chkpwd
} }