Bugzilla – Bug 1150527
AUDIT-1: cifs-utils: review pam_cifscreds not yet whitelisted in rpmlint
Last modified: 2020-01-30 14:28:56 UTC
+++ This bug was initially created as a clone of Bug #1150178
As discussed in the proactive security team we want to catch up on the
packages shipping PAM modules that haven't been reviewed yet. Formerly there
was no badness for this type of rpmlint check. Right now the new review bot
should catch them.
cifs-utils is one of the packages shipping a pam module (pam_cifscreds) that
has not yet been reviewed.
The code should be checked and if all is well a whitelisting be added to
Where is the rpmlint white list config? CheckPAMModules.py loads the white list from it but I couldn't see any existing one.
PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names
(In reply to email@example.com from comment #1)
> Where is the rpmlint white list config? CheckPAMModules.py loads the white
> list from it but I couldn't see any existing one.
The whitelist is managed in OBS directly:
$ osc cat openSUSE:Factory/rpmlint/config | grep PAMModules.WhiteList
But you don't need to worry directly about the whitelist, the security team
will handle it.
I will work on this item.
I'm finished with the review. I couldn't find notable problems. The PAM module
is rather simple: it captures the password in the auth phase to use in in the
session phase to insert it into a kernel keyring.
There's quite some redundancy between cifscreds_pam_add() and
cifscreds_pam_update() that could be improved upon but it is nothing critical.
I've commited the whitelisting for this PAM module to rpmlint, it should hit
Factory in a while.
The whitelisting is by now in Factory, therefore closing this bug as FIXED.