Bug 1220249

Summary: AUDIT-WHITELIST: systemd: new PAM module pam_systemd_loadkey.so
Product: [openSUSE] openSUSE Tumbleweed Reporter: Franck Bui <fbui>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, lnussel, security-team, systemd-maintainers, wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Franck Bui 2024-02-23 09:23:11 UTC 
Hi Secteam,

This new PAM module introduced in systemd v255 needs to be reviewed.

Here's the full warning:

> [  369s] systemd.x86_64: E: pam-file-unauthorized (Badness: 10) /usr/lib64/security/pam_systemd_loadkey.so (sha256 file digest default filter:774e32bca722bc244bab2cc24e6a5d30b6c5a222c7081ea31259972317fedbb9 shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>)
> [  369s] Packaging new PAM modules requires a review and whitelisting by the SUSE
> [  369s] security team. If the package is intended for inclusion in any SUSE product
> [  369s] please open a bug report to request review of the package by the security
> [  369s] team.

And a description of functionality brought by this new PAM module can be found in the NEWS file:

  * A new pam_systemd_loadkey.so PAM module is now available, which will
    automatically fetch the passphrase used by cryptsetup to unlock the
    root file system and set it as the PAM authtok. This enables, among
    other things, configuring auto-unlock of the GNOME Keyring / KDE
    Wallet when autologin is configured.

Note that the PAM module is not yet integrated in the spec file so it's not automatically added on package installation/update.

Thanks.
Comment 1 Matthias Gerstner 2024-02-23 10:07:58 UTC 
The package seems to be found in home:fbui:systemd:systemd-255/systemd.

The PAM module is only about 100 lines of C code. Since it deals with
cryptsetup passwords we should still carefully review it.
Comment 2 Matthias Gerstner 2024-02-27 14:38:37 UTC 
I reviewed the code. It is really straightforward. The cryptsetup key
(passphrase?) is retrieved from a kernel keyring. If one is available then
this is stored as PAM_AUTHTOK and can thus be reused for automatic login to
the display manager, for unlocking password managers etc.

The PAM module can be whitelisted.
Comment 3 Matthias Gerstner 2024-02-28 10:45:04 UTC 
whitelisting is in progress
Comment 4 Dominique Leuenberger 2024-03-02 13:11:13 UTC 
The pam file also exists in systemd-mini

Either we need it whitelisted there too - or have it removed from the mini package

[  100s] systemd-mini.x86_64: E: pam-file-unauthorized (Badness: 10000) /usr/lib64/security/pam_systemd_loadkey.so (sha256 file digest default filter:13fedd6ca407ae9b0c5efcef7527d9bca007f4590ef7d32bb0e83fe437ad2782 shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>)
[  100s] Packaging new PAM modules requires a review and whitelisting by the SUSE
[  100s] security team. If the package is intended for inclusion in any SUSE product
[  100s] please open a bug report to request review of the package by the security
[  100s] team. Please refer to
[  100s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  100s] more information.
[  100s]
Comment 5 Matthias Gerstner 2024-03-04 09:51:26 UTC 
(In reply to dimstar@opensuse.org from comment #4)
> The pam file also exists in systemd-mini
> 
> Either we need it whitelisted there too - or have it removed from the mini package

Please remember to point that out right away in the future so we can do it one
go.

I don't know what the scope of systemd-mini is so I leave it up to you or
whoever knows the scope to decide whether this should be part of systemd-mini
or not.
Comment 6 Ludwig Nussel 2024-03-05 12:07:26 UTC 
The module has no special requirements, nor a build flag to turn it off so it just ends up in the mini package and doesn't hurt there. So IMO safe to whitelist in the mini package too.
Comment 7 OBSbugzilla Bot 2024-03-05 15:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1220249) was mentioned in
https://build.opensuse.org/request/show/1155260 Factory / rpmlint
Comment 8 Matthias Gerstner 2024-03-06 09:17:02 UTC 
The addition of systemd-mini is on its way.
Comment 9 OBSbugzilla Bot 2024-03-06 13:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1220249) was mentioned in
https://build.opensuse.org/request/show/1155534 Factory / rpmlint
Comment 10 OBSbugzilla Bot 2024-03-08 13:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1220249) was mentioned in
https://build.opensuse.org/request/show/1156346 Factory / rpmlint
Comment 11 OBSbugzilla Bot 2024-03-11 11:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1220249) was mentioned in
https://build.opensuse.org/request/show/1156898 Factory / rpmlint
Comment 12 OBSbugzilla Bot 2024-03-11 15:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1220249) was mentioned in
https://build.opensuse.org/request/show/1156938 Factory / rpmlint
Comment 13 Matthias Gerstner 2024-03-15 11:51:12 UTC 
the whitelisting for systemd-mini is also in Factory now