Bug 1150527 - AUDIT-1: cifs-utils: review pam_cifscreds not yet whitelisted in rpmlint
AUDIT-1: cifs-utils: review pam_cifscreds not yet whitelisted in rpmlint
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on:
Blocks: 1150178
  Show dependency treegraph
 
Reported: 2019-09-12 11:02 UTC by Matthias Gerstner
Modified: 2020-01-30 14:28 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 11:02:12 UTC
+++ This bug was initially created as a clone of Bug #1150178
As discussed in the proactive security team we want to catch up on the
packages shipping PAM modules that haven't been reviewed yet. Formerly there
was no badness for this type of rpmlint check. Right now the new review bot
should catch them.

cifs-utils is one of the packages shipping a pam module (pam_cifscreds) that
has not yet been reviewed.

The code should be checked and if all is well a whitelisting be added to
rpmlint.
Comment 1 Aurelien Aptel 2019-09-13 12:37:49 UTC
Where is the rpmlint white list config? CheckPAMModules.py loads the white list from it but I couldn't see any existing one.

PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ())  # set of file names
Comment 2 Matthias Gerstner 2019-09-13 12:47:11 UTC
(In reply to aaptel@suse.com from comment #1)
> Where is the rpmlint white list config? CheckPAMModules.py loads the white
> list from it but I couldn't see any existing one.

The whitelist is managed in OBS directly:

$ osc cat openSUSE:Factory/rpmlint/config | grep PAMModules.WhiteList

But you don't need to worry directly about the whitelist, the security team
will handle it.
Comment 3 Matthias Gerstner 2019-09-18 13:30:19 UTC
I will work on this item.
Comment 4 Matthias Gerstner 2019-09-19 11:04:01 UTC
I'm finished with the review. I couldn't find notable problems. The PAM module
is rather simple: it captures the password in the auth phase to use in in the
session phase to insert it into a kernel keyring.

There's quite some redundancy between cifscreds_pam_add() and
cifscreds_pam_update() that could be improved upon but it is nothing critical.
Comment 5 Matthias Gerstner 2019-12-16 12:52:14 UTC
I've commited the whitelisting for this PAM module to rpmlint, it should hit
Factory in a while.
Comment 6 Matthias Gerstner 2020-01-30 14:28:56 UTC
The whitelisting is by now in Factory, therefore closing this bug as FIXED.