Deployed e751893 with MkDocs version: 1.5.3

news/index.html

@@ -322,6 +322,15 @@
     </label>
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
       
+        <li class="md-nav__item">
+  <a href="#january-3-2024" class="md-nav__link">
+    <span class="md-ellipsis">
+      January 3, 2024
+    </span>
+  </a>
+  
+</li>
+      
         <li class="md-nav__item">
   <a href="#december-27-2023" class="md-nav__link">
     <span class="md-ellipsis">
@@ -754,6 +763,8 @@
 
 <h1 id="news">News<a class="headerlink" href="#news" title="Permanent link">&para;</a></h1>
 <p>These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.</p>
+<h2 id="january-3-2024">January 3, 2024<a class="headerlink" href="#january-3-2024" title="Permanent link">&para;</a></h2>
+<p><a href="../packages/control/">control</a> <code>0.8.0-7</code> can now manage two SUID root PAM helper programs <code>unix_chkpwd</code> and <code>pam_timestamp_check</code>.</p>
 <h2 id="december-27-2023">December 27, 2023<a class="headerlink" href="#december-27-2023" title="Permanent link">&para;</a></h2>
 <p><a href="../packages/control/">control</a> <code>0.8.0-5</code> can now manage user password hashing scheme and password policy in use by PAM-aware programs.</p>
 <h2 id="december-18-2023">December 18, 2023<a class="headerlink" href="#december-18-2023" title="Permanent link">&para;</a></h2>
@@ -802,7 +813,7 @@ A typical facility is a SUID/SGID/setcap program or a configuration setting of a
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 27, 2023</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">January 3, 2024</span>
   </span>
 
     

packages/control/index.html

@@ -758,7 +758,7 @@
 <h1 id="extra-package-control">Extra package: control<a class="headerlink" href="#extra-package-control" title="Permanent link">&para;</a></h1>
 <h2 id="el9">EL9<a class="headerlink" href="#el9" title="Permanent link">&para;</a></h2>
 <ul>
-<li>Version <code>0.8.0-5.el9_3.security</code></li>
+<li>Version <code>0.8.0-7.el9_3.security</code></li>
 </ul>
 <h3 id="package-summary">Package summary<a class="headerlink" href="#package-summary" title="Permanent link">&para;</a></h3>
 <p><code>control</code> provides a common interface to register and control (what it calls) system facilities.
@@ -775,8 +775,10 @@ mount           public          (public wheelonly unprivileged restricted)
 newgidmap           public        (public wheelonly restricted)
 newgrp              public        (public wheelonly restricted)
 newuidmap           public        (public wheelonly restricted)
+pam_timestamp_check public        (public restricted)
 password-hash       sha512crypt   (sha512crypt yescrypt)
 password-policy     pwquality     (pwquality passwdqc)
+unix_chkpwd         public        (public restricted)
 write               public        (public restricted)
 </code></pre></div>
 <p>With maximum security hardening, it changes to:</p>
@@ -786,14 +788,15 @@ mount           restricted      (public wheelonly unprivileged restricted)
 newgidmap           restricted    (public wheelonly restricted)
 newgrp              restricted    (public wheelonly restricted)
 newuidmap           restricted    (public wheelonly restricted)
+pam_timestamp_check restricted    (public restricted)
 password-hash       yescrypt      (sha512crypt yescrypt)
 password-policy     passwdqc      (pwquality passwdqc)
+unix_chkpwd         restricted    (public restricted)
 write               restricted    (public restricted)
 </code></pre></div>
-<p>The default settings (typically <code>public</code>) correspond to EL packages' defaults (and are typically the most relaxed security-wise).</p>
 <p>Please refer to <code>control(8)</code> man page for command-line usage syntax.</p>
 <h3 id="sub-packages">Sub-packages<a class="headerlink" href="#sub-packages" title="Permanent link">&para;</a></h3>
-<p>Currently, there are 3 sub-packages:</p>
+<p>Currently, there are 4 sub-packages:</p>
 <h4 id="control">control<a class="headerlink" href="#control" title="Permanent link">&para;</a></h4>
 <p>The main package providing the common interface, but no facilities of its own.</p>
 <h4 id="control-shadow-utils">control-shadow-utils<a class="headerlink" href="#control-shadow-utils" title="Permanent link">&para;</a></h4>
@@ -801,9 +804,18 @@ write           restricted      (public restricted)
 <h4 id="control-util-linux">control-util-linux<a class="headerlink" href="#control-util-linux" title="Permanent link">&para;</a></h4>
 <p>Facility specifications corresponding to the <code>util-linux</code> and <code>util-linux-core</code> packages. Currently, these allow to <code>control</code> access to 3 privileged programs - 2 of them (<code>mount</code> and <code>umount</code>) are by default SUID root and 1 (<code>write</code>) SGID <code>tty</code>.</p>
 <h4 id="control-pam">control-pam<a class="headerlink" href="#control-pam" title="Permanent link">&para;</a></h4>
-<p>Facility specifications corresponding to the <code>pam</code> package. Currently, these allow to <code>control</code> user password hashing scheme and password policy in use by PAM-aware programs.</p>
+<p>Facility specifications corresponding to the <code>pam</code> package. Currently, these allow to <code>control</code> user password hashing scheme and password policy in use by PAM-aware programs, as well as two SUID root PAM helper programs <code>unix_chkpwd</code> and <code>pam_timestamp_check</code>.</p>
 <h3 id="change-log">Change log<a class="headerlink" href="#change-log" title="Permanent link">&para;</a></h3>
-<div class="highlight"><pre><span></span><code>* Wed Dec 27 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-5
+<div class="highlight"><pre><span></span><code>* Wed Jan  3 2024 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-7
+- Add unix_chkpwd and pam_timestamp_check facilities to the pam sub-package
+
+* Wed Jan  3 2024 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-6
+- Revise password-hash and password-policy to process the underlying two
+  &quot;sub-facilities&quot; (for the two configuration files updated by each of these)
+  using the same logic that we had used for mount (where the two underlying
+  &quot;sub-facilities&quot; are the mount and umount programs)
+
+* Wed Dec 27 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-5
 - Install control(8) mode 755 since some of its features work as non-root
 - Add sub-package with facilities and triggers for pam password hashing and
   password policy
@@ -818,7 +830,7 @@ write           restricted      (public restricted)
 
 * Wed Dec 13 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-2
 - In addition to Requires(pre), also use Requires in the sub-package
-- In %%triggerprein_control, pre-check that the facility exists
+- In %triggerprein_control, pre-check that the facility exists
 - Use (renamed) copies of the trigger macros within this spec file
 
 * Wed Dec 13 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-1
@@ -848,7 +860,7 @@ write           restricted      (public restricted)
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 27, 2023</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">January 3, 2024</span>
   </span>
 
     

sitemap.xml

@@ -2,57 +2,57 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
          <loc>https://sig-security.rocky.page/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/news/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/issues/CVE-2023-23583/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/issues/CVE-2023-4911/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/control/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/glibc/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/hardened_malloc/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/lkrg/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/microcode_ctl/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/openssh/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://sig-security.rocky.page/packages/passwdqc/</loc>
-         <lastmod>2023-12-28</lastmod>
+         <lastmod>2024-01-03</lastmod>
          <changefreq>daily</changefreq>
     </url>
 </urlset>