Bug 1169494 - AUDIT-0: oddjob: review D-Bus and PAM
AUDIT-0: oddjob: review D-Bus and PAM
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on: CVE-2020-10737
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-15 01:36 UTC by Sasi Olin
Modified: 2022-06-22 09:26 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sasi Olin 2020-04-15 01:36:52 UTC
https://build.opensuse.org/package/show/security:idm/oddjob
A new package for inclusion in Factory and Leap 15.2:

oddjob-mkhomedir.x86_64: W: suse-pam-unauthorized-module pam_oddjob_mkhomedir.so
oddjob-mkhomedir.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/oddjob-mkhomedir.conf
oddjob.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/oddjob.conf
Comment 1 Matthias Gerstner 2020-04-15 08:12:43 UTC
Thank you for opening the review bug. We will schedule the review. It might
take a bit longer since we're an increased load in reviews currently.
Comment 2 Matthias Gerstner 2020-04-22 11:36:54 UTC
I will look into this.
Comment 3 Matthias Gerstner 2020-04-24 11:57:04 UTC
I'm through with the review. Oddjob itself looks decent enough we can accept
it.

Do you need the oddjob-mkhomedir sub-package, however? Are there actually
people out there using it? It seems more like an example implementation for an
oddjob service.

There is a minor security issue in the mkhomedir logic that I will report to
upstream.
Comment 4 Sasi Olin 2020-04-24 12:36:56 UTC
(In reply to Matthias Gerstner from comment #3)
> Do you need the oddjob-mkhomedir sub-package, however? Are there actually
> people out there using it? It seems more like an example implementation for
> an
> oddjob service.

It's used by freeipa to create home directories afaik
Comment 5 Neal Gompa 2020-04-29 02:24:56 UTC
(In reply to Stasiek Michalski from comment #4)
> (In reply to Matthias Gerstner from comment #3)
> > Do you need the oddjob-mkhomedir sub-package, however? Are there actually
> > people out there using it? It seems more like an example implementation for
> > an
> > oddjob service.
> 
> It's used by freeipa to create home directories afaik

Yep. It's used by SSSD, FreeIPA, authselect, and a few others...
Comment 6 Matthias Gerstner 2020-05-11 11:43:13 UTC
The whitelisting for the D-Bus and PAM components is on its way to Factory via
OBS sr#802654.

If you need this backported to Leap 15.2 then I'm not quite sure, whether
rpmlint will be copied once more from Factory or not. Anyways lets first wait
until the package is in Factory and then worry about Leap.
Comment 7 Matthias Gerstner 2020-05-18 11:43:20 UTC
The whitelisting is now in Factory, oddjob is also in Factory. Closing.
Comment 9 Swamp Workflow Management 2021-09-17 19:21:16 UTC
# maintenance_jira_update_notice
SUSE-RU-2021:3128-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1169494,1189106
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    rpmlint-1.10-7.25.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    rpmlint-1.10-7.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-09-17 19:22:28 UTC
# maintenance_jira_update_notice
openSUSE-RU-2021:3128-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1169494,1189106
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rpmlint-1.10-7.25.1
Comment 11 Swamp Workflow Management 2021-09-21 20:53:23 UTC
# maintenance_jira_update_notice
openSUSE-RU-2021:1297-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1169494,1189106
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rpmlint-1.10-lp152.12.9.1, rpmlint-tests-84.87+git20181018.60e0249-lp152.12.9.1
Comment 12 Swamp Workflow Management 2021-09-25 01:19:32 UTC
openSUSE-RU-2021:1306-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1169494,1189106
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    rpmlint-1.10-bp152.4.12.1
Comment 13 Neal Gompa 2021-10-06 11:37:27 UTC
oddjob is failing in Factory again because its not on the whitelist in rpmlint anymore: https://build.opensuse.org/package/live_build_log/openSUSE:Factory/oddjob/standard/x86_64

> [   22s] oddjob-mkhomedir.x86_64: E: dbus-file-unauthorized (Badness: 10000) /etc/dbus-1/system.d/oddjob-mkhomedir.conf (file digest sha256:d2c9c153eb63540340561a508d3c6c397bffdf45f43ba700699644c033db0ab1)
> [   22s] Packaging D-Bus services requires a review and whitelisting by the SUSE
> [   22s] security team. If the package is intended for inclusion in any SUSE product
> [   22s] please open a bug report to request review of the package by the security
> [   22s] team. Please refer to
> [   22s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
> [   22s] more information.

What happened to cause this?
Comment 14 Matthias Gerstner 2021-10-06 12:37:40 UTC
(In reply to Neal Gompa from comment #13)
> oddjob is failing in Factory again because its not on the whitelist in
> rpmlint anymore:
[...]
> What happened to cause this?

rpmlint has received a major update in Factory and the whole whitelisting mechanism has been rewritten. It seems oddjob-mkhomedir got lost when we synced additions we made to the old whitelist. I am sorry for the troubles. I will fix the whitelist.
Comment 15 OBSbugzilla Bot 2021-10-06 14:43:36 UTC
This is an autogenerated message for OBS integration:
This bug (1169494) was mentioned in
https://build.opensuse.org/request/show/923496 Factory / rpmlint
Comment 16 Matthias Gerstner 2021-10-11 08:01:55 UTC
The fixed whitelisting is now in Factory. It might take a couple of days until
rpmlint-mini is rebuilt with the new whitelisting but otherwise things should
be fixed now. Closing.