Bugzilla – Bug 1150527
AUDIT-1: cifs-utils: review pam_cifscreds not yet whitelisted in rpmlint
Last modified: 2020-01-30 14:28:56 UTC
+++ This bug was initially created as a clone of Bug #1150178 As discussed in the proactive security team we want to catch up on the packages shipping PAM modules that haven't been reviewed yet. Formerly there was no badness for this type of rpmlint check. Right now the new review bot should catch them. cifs-utils is one of the packages shipping a pam module (pam_cifscreds) that has not yet been reviewed. The code should be checked and if all is well a whitelisting be added to rpmlint.
Where is the rpmlint white list config? CheckPAMModules.py loads the white list from it but I couldn't see any existing one. PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names
(In reply to aaptel@suse.com from comment #1) > Where is the rpmlint white list config? CheckPAMModules.py loads the white > list from it but I couldn't see any existing one. The whitelist is managed in OBS directly: $ osc cat openSUSE:Factory/rpmlint/config | grep PAMModules.WhiteList But you don't need to worry directly about the whitelist, the security team will handle it.
I will work on this item.
I'm finished with the review. I couldn't find notable problems. The PAM module is rather simple: it captures the password in the auth phase to use in in the session phase to insert it into a kernel keyring. There's quite some redundancy between cifscreds_pam_add() and cifscreds_pam_update() that could be improved upon but it is nothing critical.
I've commited the whitelisting for this PAM module to rpmlint, it should hit Factory in a while.
The whitelisting is by now in Factory, therefore closing this bug as FIXED.