Bugzilla – Bug 1222457
AUDIT-WHITELIST: google-guest-oslogin: Please review new PAM module pam_oslogin_admin.so
Last modified: 2024-04-19 07:37:17 UTC
A recent submission for an update to the google-guest-oslogin package to Factory was rejected due to the fact that it introduces a new PAM modules [1]: [ 14s] google-guest-oslogin.x86_64: E: pam-file-unauthorized (Badness: 10000) /usr/lib64/security/pam_oslogin_admin.so (sha256 file digest default filter:f9d3249da91257e53c70cf394404be3b13f6eae2a67b74192d48a2fb64941def shell filter:<failed-to-calculate> xml filter:<failed-to-calculate>) [ 14s] Packaging new PAM modules requires a review and whitelisting by the SUSE [ 14s] security team. If the package is intended for inclusion in any SUSE product [ 14s] please open a bug report to request review of the package by the security [ 14s] team. Please refer to [ 14s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 14s] more information. Since google-guest-oslogin had this PAM module in the past which upstream removed [2] and then reintroduced [3], I think it should be easy to audit this change. > [1] https://build.opensuse.org/request/show/1164370 > [2] https://github.com/GoogleCloudPlatform/guest-oslogin/pull/116 > [3] https://github.com/GoogleCloudPlatform/guest-oslogin/pull/133
Whitelisting for this was removed in November since it was no longer packaged. We will have a look at the current sources to see if anything relevant changed.
I will have a look at this. Hopefully not too much has changed since the last time we looked at this.
Not too much changed in the codebase since the last review that happened in bug 1146353. The PAM module preforms `chown()` and `chmod()` calls for files in /var/google-sudoers.d and /var/google-users.d. How these directories come into existence is a bit special. They don't use systemd-tmpfiles or packaging mechanisms, but this happens in a different package, in google-guest-agent, google_guest_agent/oslogin.go: ``` // Creates necessary OS Login directories if they don't exist. func createOSLoginDirs(ctx context.Context) error { restorecon, restoreconerr := exec.LookPath("restorecon") for _, dir := range []string{"/var/google-sudoers.d", "/var/google-users.d"} { err := os.Mkdir(dir, 0750) if err != nil && !os.IsExist(err) { return err } if restoreconerr == nil { run.Quiet(ctx, restorecon, dir) } } return nil } ``` google-guest-agent and the PAM module run as root, this is the only place where the directories are created and only root can write to them. Thus no symlink attacks & friends are possible in these locations. Otherwise this modules interacts, as outlined in the original bug, with the cloud instance's metadata URL, and I cannot judge the security/quality of these APIs. We will reinstate the whitelisting for the admin PAM module.
The whitelisting process has been started. rpmlint submissions in Factory are currently a bit stuck it seems, so it could take some days for the whitelisting to make it into production.
This is an autogenerated message for OBS integration: This bug (1222457) was mentioned in https://build.opensuse.org/request/show/1168340 Factory / rpmlint
The whitelisting already made it to Factory. Closing as fixed.