From 6baf268986bc8791d069a25a0514241b5467e379 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sat, 6 May 2023 22:24:39 -0700 Subject: Ignore the content of a capability.conf file if it is world-writable. Other than the case of /dev/null, there is no situation in which pam_cap.so should act on world writable config files. There are legitimate local administration choices for the file being owned by non-root users, and similarly writable by a group of trusted users. So, we do not require any specific ownership for the file and do not check for writable access based on owner of group membership. Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit of the libcap source code in April of 2023. The audit was sponsored by the Open Source Technology Improvement Fund (https://ostif.org/). Audit ref: LCAP-CR-23-101 Signed-off-by: Andrew G. Morgan --- pam_cap/test_pam_cap.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'pam_cap/test_pam_cap.c') diff --git a/pam_cap/test_pam_cap.c b/pam_cap/test_pam_cap.c index 886888e..4bcf236 100644 --- a/pam_cap/test_pam_cap.c +++ b/pam_cap/test_pam_cap.c @@ -237,10 +237,21 @@ int main(int argc, char *argv[]) { printf("failed to parse arguments\n"); exit(1); } - if (read_capabilities_for_user("morgan", "/dev/null") != NULL) { + if (read_capabilities_for_user("alpha", "/dev/null") != NULL) { printf("/dev/null should return no capabilities\n"); exit(1); } + if (read_capabilities_for_user("unknown", "capability.conf") != NULL) { + printf("capability.conf should return no capabilities for unknown\n"); + exit(1); + } + char *iab_text = read_capabilities_for_user("alpha", "./incapable.conf"); + if (iab_text != NULL) { + printf("./incapable.conf should grant no capabilities: got=%s\n", + iab_text); + free(iab_text); + exit(1); + } /* * Start out with a cleared inheritable set. -- cgit v1.2.3