Merge pull request 'control-pam: Add unix_chkpwd and pam_timestamp_check' (#22) from solardiz-patch-20 into main
All checks were successful
mkdocs build / build (push) Successful in 27s

Reviewed-on: #22
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2024-01-03 17:00:09 +00:00
commit e7518933d6
2 changed files with 39 additions and 24 deletions

View File

@ -2,6 +2,10 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## January 3, 2024
[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
## December 27, 2023 ## December 27, 2023
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs. [control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.

View File

@ -2,7 +2,7 @@
## EL9 ## EL9
- Version `0.8.0-5.el9_3.security` - Version `0.8.0-7.el9_3.security`
### Package summary ### Package summary
@ -26,8 +26,10 @@ mount public (public wheelonly unprivileged restricted)
newgidmap public (public wheelonly restricted) newgidmap public (public wheelonly restricted)
newgrp public (public wheelonly restricted) newgrp public (public wheelonly restricted)
newuidmap public (public wheelonly restricted) newuidmap public (public wheelonly restricted)
pam_timestamp_check public (public restricted)
password-hash sha512crypt (sha512crypt yescrypt) password-hash sha512crypt (sha512crypt yescrypt)
password-policy pwquality (pwquality passwdqc) password-policy pwquality (pwquality passwdqc)
unix_chkpwd public (public restricted)
write public (public restricted) write public (public restricted)
``` ```
@ -40,18 +42,18 @@ mount restricted (public wheelonly unprivileged restricted)
newgidmap restricted (public wheelonly restricted) newgidmap restricted (public wheelonly restricted)
newgrp restricted (public wheelonly restricted) newgrp restricted (public wheelonly restricted)
newuidmap restricted (public wheelonly restricted) newuidmap restricted (public wheelonly restricted)
pam_timestamp_check restricted (public restricted)
password-hash yescrypt (sha512crypt yescrypt) password-hash yescrypt (sha512crypt yescrypt)
password-policy passwdqc (pwquality passwdqc) password-policy passwdqc (pwquality passwdqc)
unix_chkpwd restricted (public restricted)
write restricted (public restricted) write restricted (public restricted)
``` ```
The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise).
Please refer to `control(8)` man page for command-line usage syntax. Please refer to `control(8)` man page for command-line usage syntax.
### Sub-packages ### Sub-packages
Currently, there are 3 sub-packages: Currently, there are 4 sub-packages:
#### control #### control
@ -67,11 +69,20 @@ Facility specifications corresponding to the `util-linux` and `util-linux-core`
#### control-pam #### control-pam
Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs. Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs, as well as two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
### Change log ### Change log
``` ```
* Wed Jan 3 2024 Solar Designer <solar@openwall.com> 0.8.0-7
- Add unix_chkpwd and pam_timestamp_check facilities to the pam sub-package
* Wed Jan 3 2024 Solar Designer <solar@openwall.com> 0.8.0-6
- Revise password-hash and password-policy to process the underlying two
"sub-facilities" (for the two configuration files updated by each of these)
using the same logic that we had used for mount (where the two underlying
"sub-facilities" are the mount and umount programs)
* Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5 * Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
- Install control(8) mode 755 since some of its features work as non-root - Install control(8) mode 755 since some of its features work as non-root
- Add sub-package with facilities and triggers for pam password hashing and - Add sub-package with facilities and triggers for pam password hashing and
@ -87,7 +98,7 @@ Facility specifications corresponding to the `pam` package. Currently, these all
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2 * Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2
- In addition to Requires(pre), also use Requires in the sub-package - In addition to Requires(pre), also use Requires in the sub-package
- In %%triggerprein_control, pre-check that the facility exists - In %triggerprein_control, pre-check that the facility exists
- Use (renamed) copies of the trigger macros within this spec file - Use (renamed) copies of the trigger macros within this spec file
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1 * Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1