Bug 1150519 - AUDIT-1: lxc: review pam_cgfs not yet whitelisted in rpmlint
AUDIT-1: lxc: review pam_cgfs not yet whitelisted in rpmlint
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
Depends on:
Blocks: 1150178
  Show dependency treegraph
Reported: 2019-09-12 10:42 UTC by Matthias Gerstner
Modified: 2020-01-30 14:25 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 10:42:52 UTC
+++ This bug was initially created as a clone of Bug #1150178
As discussed in the proactive security team we want to catch up on the
packages shipping PAM modules that haven't been reviewed yet. Formerly there
was no badness for this type of rpmlint check. Right now the new review bot
should catch them.

lxc is one of the packages shipping a pam module (pam_cgfs) that hasn't been
reviewed yet.

The code should be reviewed and if all is well the PAM module be whitelisted
in rpmlint.
Comment 1 Matthias Gerstner 2019-09-19 11:39:09 UTC
I will work on this item.
Comment 2 Matthias Gerstner 2019-09-20 11:33:08 UTC
This PAM module is surprisingly big and complex. Basically it attempts to
setup a cgroup-v1 or cgroup-v2 under control of the user about to login. This
is then used by lxc for being able to limit resources on containers.

Some of the code is strange like all the `must_` functions like
`must_realloc()`. They loop around `malloc()` or `realloc()` until memory is
obtained. Sounds like a plan for disaster.
Files are generally opened without `O_CLOEXEC` but correctly closed
Generally file handling only deals with files in cgroup file systems and proc
so symlink attacks and similar should not be an issue.
Comment 3 Matthias Gerstner 2019-12-16 13:27:16 UTC
I've commited whitelisting for pam_cgfs to rpmlint, it should hit Factory in a
Comment 4 Matthias Gerstner 2020-01-30 14:25:51 UTC
The whitelisting is by now in Factory, closing this bug as FIXED.