Bugzilla – Bug 1169494
AUDIT-0: oddjob: review D-Bus and PAM
Last modified: 2022-06-22 09:26:53 UTC
https://build.opensuse.org/package/show/security:idm/oddjob A new package for inclusion in Factory and Leap 15.2: oddjob-mkhomedir.x86_64: W: suse-pam-unauthorized-module pam_oddjob_mkhomedir.so oddjob-mkhomedir.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/oddjob-mkhomedir.conf oddjob.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/oddjob.conf
Thank you for opening the review bug. We will schedule the review. It might take a bit longer since we're an increased load in reviews currently.
I will look into this.
I'm through with the review. Oddjob itself looks decent enough we can accept it. Do you need the oddjob-mkhomedir sub-package, however? Are there actually people out there using it? It seems more like an example implementation for an oddjob service. There is a minor security issue in the mkhomedir logic that I will report to upstream.
(In reply to Matthias Gerstner from comment #3) > Do you need the oddjob-mkhomedir sub-package, however? Are there actually > people out there using it? It seems more like an example implementation for > an > oddjob service. It's used by freeipa to create home directories afaik
(In reply to Stasiek Michalski from comment #4) > (In reply to Matthias Gerstner from comment #3) > > Do you need the oddjob-mkhomedir sub-package, however? Are there actually > > people out there using it? It seems more like an example implementation for > > an > > oddjob service. > > It's used by freeipa to create home directories afaik Yep. It's used by SSSD, FreeIPA, authselect, and a few others...
The whitelisting for the D-Bus and PAM components is on its way to Factory via OBS sr#802654. If you need this backported to Leap 15.2 then I'm not quite sure, whether rpmlint will be copied once more from Factory or not. Anyways lets first wait until the package is in Factory and then worry about Leap.
The whitelisting is now in Factory, oddjob is also in Factory. Closing.
# maintenance_jira_update_notice SUSE-RU-2021:3128-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1169494,1189106 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): rpmlint-1.10-7.25.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): rpmlint-1.10-7.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice openSUSE-RU-2021:3128-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1169494,1189106 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): rpmlint-1.10-7.25.1
# maintenance_jira_update_notice openSUSE-RU-2021:1297-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1169494,1189106 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): rpmlint-1.10-lp152.12.9.1, rpmlint-tests-84.87+git20181018.60e0249-lp152.12.9.1
openSUSE-RU-2021:1306-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1169494,1189106 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): rpmlint-1.10-bp152.4.12.1
oddjob is failing in Factory again because its not on the whitelist in rpmlint anymore: https://build.opensuse.org/package/live_build_log/openSUSE:Factory/oddjob/standard/x86_64 > [ 22s] oddjob-mkhomedir.x86_64: E: dbus-file-unauthorized (Badness: 10000) /etc/dbus-1/system.d/oddjob-mkhomedir.conf (file digest sha256:d2c9c153eb63540340561a508d3c6c397bffdf45f43ba700699644c033db0ab1) > [ 22s] Packaging D-Bus services requires a review and whitelisting by the SUSE > [ 22s] security team. If the package is intended for inclusion in any SUSE product > [ 22s] please open a bug report to request review of the package by the security > [ 22s] team. Please refer to > [ 22s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for > [ 22s] more information. What happened to cause this?
(In reply to Neal Gompa from comment #13) > oddjob is failing in Factory again because its not on the whitelist in > rpmlint anymore: [...] > What happened to cause this? rpmlint has received a major update in Factory and the whole whitelisting mechanism has been rewritten. It seems oddjob-mkhomedir got lost when we synced additions we made to the old whitelist. I am sorry for the troubles. I will fix the whitelist.
This is an autogenerated message for OBS integration: This bug (1169494) was mentioned in https://build.opensuse.org/request/show/923496 Factory / rpmlint
The fixed whitelisting is now in Factory. It might take a couple of days until rpmlint-mini is rebuilt with the new whitelisting but otherwise things should be fixed now. Closing.