Bug 1212243

Summary: AUDIT-0: libcap2: review and whitelist pam_cap
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: matthias.gerstner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2023-06-12 13:45:12 UTC 
libcap2 brings a PAM module. We had customer requests on SLE to enable it.

It however asks to be whitelisted.

Source is in:

Base:System/libcap
Comment 1 Matthias Gerstner 2023-06-13 07:42:53 UTC 
We already looked into it twice, see bug 1203481.

The module is deemed inherently insecure and thus we never whitelisted it.

We considered offering this in an opt-in manner (i.e. requiring an additional
explicit configuration step), but there is no easy way to do that.
Comment 2 Marcus Meissner 2023-06-14 07:50:22 UTC 
currently it would be a separate RPM, would this be opt-in enough=?
Comment 3 Matthias Gerstner 2023-06-14 08:08:41 UTC 
(In reply to meissner@suse.com from comment #2)
> currently it would be a separate RPM, would this be opt-in enough=?

Up to now we did not consider this enough. Installing an RPM can be a side
effect of some `Requires:` or even be triggered from unprivileged users when
following the packagekit model.
Comment 4 Johannes Segitz 2023-06-19 09:07:11 UTC 
Discussed it shortly in the meeting. Closing it, please reopen if the customer use case can't be fulfilled any other way