Bug 1212243 - AUDIT-0: libcap2: review and whitelist pam_cap
Summary: AUDIT-0: libcap2: review and whitelist pam_cap
Status: RESOLVED WONTFIX
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-12 13:45 UTC by Marcus Meissner
Modified: 2023-06-19 09:07 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2023-06-12 13:45:12 UTC 
libcap2 brings a PAM module. We had customer requests on SLE to enable it.

It however asks to be whitelisted.

Source is in:

Base:System/libcap
Comment 1 Matthias Gerstner 2023-06-13 07:42:53 UTC 
We already looked into it twice, see bug 1203481.

The module is deemed inherently insecure and thus we never whitelisted it.

We considered offering this in an opt-in manner (i.e. requiring an additional
explicit configuration step), but there is no easy way to do that.
Comment 2 Marcus Meissner 2023-06-14 07:50:22 UTC 
currently it would be a separate RPM, would this be opt-in enough=?
Comment 3 Matthias Gerstner 2023-06-14 08:08:41 UTC 
(In reply to meissner@suse.com from comment #2)
> currently it would be a separate RPM, would this be opt-in enough=?

Up to now we did not consider this enough. Installing an RPM can be a side
effect of some `Requires:` or even be triggered from unprivileged users when
following the packagekit model.
Comment 4 Johannes Segitz 2023-06-19 09:07:11 UTC 
Discussed it shortly in the meeting. Closing it, please reopen if the customer use case can't be fulfilled any other way