generated from sig_core/wiki-template
Merge pull request 'control-pam: Add unix_chkpwd and pam_timestamp_check' (#22) from solardiz-patch-20 into main
All checks were successful
mkdocs build / build (push) Successful in 27s
All checks were successful
mkdocs build / build (push) Successful in 27s
Reviewed-on: #22 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
e7518933d6
2 changed files with 39 additions and 24 deletions
|
@ -2,6 +2,10 @@
|
||||||
|
|
||||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||||
|
|
||||||
|
## January 3, 2024
|
||||||
|
|
||||||
|
[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
|
||||||
|
|
||||||
## December 27, 2023
|
## December 27, 2023
|
||||||
|
|
||||||
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.
|
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
## EL9
|
## EL9
|
||||||
|
|
||||||
- Version `0.8.0-5.el9_3.security`
|
- Version `0.8.0-7.el9_3.security`
|
||||||
|
|
||||||
### Package summary
|
### Package summary
|
||||||
|
|
||||||
|
@ -20,38 +20,40 @@ While the original `control` package in Owl and ALT Linux merely provides the co
|
||||||
The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed and upstream default settings, its output is:
|
The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed and upstream default settings, its output is:
|
||||||
|
|
||||||
```
|
```
|
||||||
chage public (public restricted)
|
chage public (public restricted)
|
||||||
gpasswd public (public wheelonly restricted)
|
gpasswd public (public wheelonly restricted)
|
||||||
mount public (public wheelonly unprivileged restricted)
|
mount public (public wheelonly unprivileged restricted)
|
||||||
newgidmap public (public wheelonly restricted)
|
newgidmap public (public wheelonly restricted)
|
||||||
newgrp public (public wheelonly restricted)
|
newgrp public (public wheelonly restricted)
|
||||||
newuidmap public (public wheelonly restricted)
|
newuidmap public (public wheelonly restricted)
|
||||||
password-hash sha512crypt (sha512crypt yescrypt)
|
pam_timestamp_check public (public restricted)
|
||||||
password-policy pwquality (pwquality passwdqc)
|
password-hash sha512crypt (sha512crypt yescrypt)
|
||||||
write public (public restricted)
|
password-policy pwquality (pwquality passwdqc)
|
||||||
|
unix_chkpwd public (public restricted)
|
||||||
|
write public (public restricted)
|
||||||
```
|
```
|
||||||
|
|
||||||
With maximum security hardening, it changes to:
|
With maximum security hardening, it changes to:
|
||||||
|
|
||||||
```
|
```
|
||||||
chage restricted (public restricted)
|
chage restricted (public restricted)
|
||||||
gpasswd restricted (public wheelonly restricted)
|
gpasswd restricted (public wheelonly restricted)
|
||||||
mount restricted (public wheelonly unprivileged restricted)
|
mount restricted (public wheelonly unprivileged restricted)
|
||||||
newgidmap restricted (public wheelonly restricted)
|
newgidmap restricted (public wheelonly restricted)
|
||||||
newgrp restricted (public wheelonly restricted)
|
newgrp restricted (public wheelonly restricted)
|
||||||
newuidmap restricted (public wheelonly restricted)
|
newuidmap restricted (public wheelonly restricted)
|
||||||
password-hash yescrypt (sha512crypt yescrypt)
|
pam_timestamp_check restricted (public restricted)
|
||||||
password-policy passwdqc (pwquality passwdqc)
|
password-hash yescrypt (sha512crypt yescrypt)
|
||||||
write restricted (public restricted)
|
password-policy passwdqc (pwquality passwdqc)
|
||||||
|
unix_chkpwd restricted (public restricted)
|
||||||
|
write restricted (public restricted)
|
||||||
```
|
```
|
||||||
|
|
||||||
The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise).
|
|
||||||
|
|
||||||
Please refer to `control(8)` man page for command-line usage syntax.
|
Please refer to `control(8)` man page for command-line usage syntax.
|
||||||
|
|
||||||
### Sub-packages
|
### Sub-packages
|
||||||
|
|
||||||
Currently, there are 3 sub-packages:
|
Currently, there are 4 sub-packages:
|
||||||
|
|
||||||
#### control
|
#### control
|
||||||
|
|
||||||
|
@ -67,11 +69,20 @@ Facility specifications corresponding to the `util-linux` and `util-linux-core`
|
||||||
|
|
||||||
#### control-pam
|
#### control-pam
|
||||||
|
|
||||||
Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs.
|
Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs, as well as two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
|
||||||
|
|
||||||
### Change log
|
### Change log
|
||||||
|
|
||||||
```
|
```
|
||||||
|
* Wed Jan 3 2024 Solar Designer <solar@openwall.com> 0.8.0-7
|
||||||
|
- Add unix_chkpwd and pam_timestamp_check facilities to the pam sub-package
|
||||||
|
|
||||||
|
* Wed Jan 3 2024 Solar Designer <solar@openwall.com> 0.8.0-6
|
||||||
|
- Revise password-hash and password-policy to process the underlying two
|
||||||
|
"sub-facilities" (for the two configuration files updated by each of these)
|
||||||
|
using the same logic that we had used for mount (where the two underlying
|
||||||
|
"sub-facilities" are the mount and umount programs)
|
||||||
|
|
||||||
* Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
|
* Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
|
||||||
- Install control(8) mode 755 since some of its features work as non-root
|
- Install control(8) mode 755 since some of its features work as non-root
|
||||||
- Add sub-package with facilities and triggers for pam password hashing and
|
- Add sub-package with facilities and triggers for pam password hashing and
|
||||||
|
@ -87,7 +98,7 @@ Facility specifications corresponding to the `pam` package. Currently, these all
|
||||||
|
|
||||||
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2
|
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2
|
||||||
- In addition to Requires(pre), also use Requires in the sub-package
|
- In addition to Requires(pre), also use Requires in the sub-package
|
||||||
- In %%triggerprein_control, pre-check that the facility exists
|
- In %triggerprein_control, pre-check that the facility exists
|
||||||
- Use (renamed) copies of the trigger macros within this spec file
|
- Use (renamed) copies of the trigger macros within this spec file
|
||||||
|
|
||||||
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1
|
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1
|
||||||
|
|
Loading…
Reference in a new issue