Bug 1222457

Summary: AUDIT-WHITELIST: google-guest-oslogin: Please review new PAM module pam_oslogin_admin.so
Product: [openSUSE] openSUSE Tumbleweed Reporter: John Paul Adrian Glaubitz <adrian.glaubitz>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: matthias.gerstner, public-cloud-maintainers
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description John Paul Adrian Glaubitz 2024-04-08 11:22:23 UTC 
A recent submission for an update to the google-guest-oslogin package to Factory was rejected due to the fact that it introduces a new PAM modules [1]:

[   14s] google-guest-oslogin.x86_64: E: pam-file-unauthorized (Badness: 10000) /usr/lib64/security/pam_oslogin_admin.so (sha256 file digest default filter:f9d3249da91257e53c70cf394404be3b13f6eae2a67b74192d48a2fb64941def shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>)
[   14s] Packaging new PAM modules requires a review and whitelisting by the SUSE
[   14s] security team. If the package is intended for inclusion in any SUSE product
[   14s] please open a bug report to request review of the package by the security
[   14s] team. Please refer to
[   14s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   14s] more information.

Since google-guest-oslogin had this PAM module in the past which upstream removed [2] and then reintroduced [3], I think it should be easy to audit this change.

> [1] https://build.opensuse.org/request/show/1164370
> [2] https://github.com/GoogleCloudPlatform/guest-oslogin/pull/116
> [3] https://github.com/GoogleCloudPlatform/guest-oslogin/pull/133
Comment 1 Matthias Gerstner 2024-04-08 11:57:37 UTC 
Whitelisting for this was removed in November since it was no longer packaged.
We will have a look at the current sources to see if anything relevant
changed.
Comment 2 Matthias Gerstner 2024-04-16 08:50:47 UTC 
I will have a look at this. Hopefully not too much has changed since the last
time we looked at this.
Comment 3 Matthias Gerstner 2024-04-16 10:10:32 UTC 
Not too much changed in the codebase since the last review that happened in
bug 1146353. The PAM module preforms `chown()` and `chmod()` calls for files
in /var/google-sudoers.d and /var/google-users.d.

How these directories come into existence is a bit special. They don't use
systemd-tmpfiles or packaging mechanisms, but this happens in a different
package, in google-guest-agent, google_guest_agent/oslogin.go:

```
// Creates necessary OS Login directories if they don't exist.
func createOSLoginDirs(ctx context.Context) error {
        restorecon, restoreconerr := exec.LookPath("restorecon")

        for _, dir := range []string{"/var/google-sudoers.d",
"/var/google-users.d"} {
                err := os.Mkdir(dir, 0750)
                if err != nil && !os.IsExist(err) {
                        return err
                }
                if restoreconerr == nil {
                        run.Quiet(ctx, restorecon, dir)
                }
        }
        return nil
}
```

google-guest-agent and the PAM module run as root, this is the only place
where the directories are created and only root can write to them. Thus no
symlink attacks & friends are possible in these locations.

Otherwise this modules interacts, as outlined in the original bug, with the
cloud instance's metadata URL, and I cannot judge the security/quality of
these APIs.

We will reinstate the whitelisting for the admin PAM module.
Comment 4 Matthias Gerstner 2024-04-16 11:47:50 UTC 
The whitelisting process has been started. rpmlint submissions in Factory are
currently a bit stuck it seems, so it could take some days for the
whitelisting to make it into production.
Comment 5 OBSbugzilla Bot 2024-04-16 12:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1222457) was mentioned in
https://build.opensuse.org/request/show/1168340 Factory / rpmlint
Comment 6 Matthias Gerstner 2024-04-19 07:37:17 UTC 
The whitelisting already made it to Factory. Closing as fixed.