Ignore the content of a capability.conf file if it is world-writable.

Other than the case of /dev/null, there is no situation in which pam_cap.so
should act on world writable config files.

There are legitimate local administration choices for the file being owned
by non-root users, and similarly writable by a group of trusted users. So,
we do not require any specific ownership for the file and do not check for
writable access based on owner of group membership.

Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH
(https://x41-dsec.de/) who performed a security audit of the libcap
source code in April of 2023. The audit was sponsored by the Open
Source Technology Improvement Fund (https://ostif.org/).

Audit ref: LCAP-CR-23-101

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

1 files changed, 12 insertions, 1 deletions

diff --git a/pam_cap/test_pam_cap.c b/pam_cap/test_pam_cap.c
index 886888e..4bcf236 100644
--- a/pam_cap/test_pam_cap.c
+++ b/pam_cap/test_pam_cap.c
@@ -237,10 +237,21 @@ int main(int argc, char *argv[]) {
 	printf("failed to parse arguments\n");
 	exit(1);
     }
-    if (read_capabilities_for_user("morgan", "/dev/null") != NULL) {
+    if (read_capabilities_for_user("alpha", "/dev/null") != NULL) {
 	printf("/dev/null should return no capabilities\n");
 	exit(1);
     }
+    if (read_capabilities_for_user("unknown", "capability.conf") != NULL) {
+	printf("capability.conf should return no capabilities for unknown\n");
+	exit(1);
+    }
+    char *iab_text = read_capabilities_for_user("alpha", "./incapable.conf");
+    if (iab_text != NULL) {
+	printf("./incapable.conf should grant no capabilities: got=%s\n",
+	       iab_text);
+	free(iab_text);
+	exit(1);
+    }
 
     /*
      * Start out with a cleared inheritable set.