shadow files are user readable #4401

champtar · 2023-05-09T14:54:51Z

Scanning my system using oscap / cis profile,
shadow files have incorrect permissions

Host system details
Alma 8.7 based OS

Expected vs actual behavior

# ls -l /etc/*shadow*
-r--------. 1 root root 225 Dec  5 09:18 /etc/gshadow
-r--------. 1 root root 213 Oct 25  2022 /etc/gshadow-
-r--------. 1 root root 436 Apr 18 11:37 /etc/shadow
-r--------. 1 root root 397 Oct 25  2022 /etc/shadow-

Expected:
shadow files should have mode 0000

Steps to reproduce it
The shadow files in /usr/etc have mode 0400 on purpose 334f0b8
This seems to be a side effect

chmod 0000 /etc/*shadow* doesn't break my system

Maybe we can fix it using tmpfile.d config

$ cat /usr/lib/tmpfiles.d/rpm-ostree-shadow.conf
z /etc/shadow 0000 root root -
z /etc/shadow- 0000 root root -
z /etc/gshadow 0000 root root -
z /etc/gshadow- 0000 root root -

see also #1045

Would you like to work on the issue?
No

The text was updated successfully, but these errors were encountered:

cgwalters · 2023-05-18T14:45:24Z

Ultimately what we want I think is for the shadow files to not exist in the ostree commit at all. Instead we should generate them on first boot if they don't exist. This may require OS level work.

champtar · 2023-05-18T17:24:00Z

Instead we should generate them on first boot if they don't exist. This may require OS level work.

We could have rpm-ostree generate them when missing when 'unpacking' a commit

champtar · 2023-05-26T12:53:04Z

this triggers SELinux

(typeattributeset cil_gen_require systemd_tmpfiles_t)
(typeattributeset cil_gen_require shadow_t)
(allow systemd_tmpfiles_t shadow_t (file (getattr setattr relabelfrom relabelto)))

Because of how our composes work, we need to manually inject passwd-related things before installing packages. A somewhat recent regression in that area made it so that the `/etc/shadow` and `/etc/gshadow` files were created with default permissions (0644), which meant they were world readable. Fix this by explicitly setting their modes to 0. Ideally, we would rely on the canonical permissions set in the `setup` package here, but it's tricky to fix that without reworking how we install `setup` and handle `passwd` treefile options. Fixes fdb879c ("passwd: sync `etc/{,g}shadow` according to `etc/{passwd,group}`"). Fixes coreos#4401

cgwalters added the triaged This issue was triaged label May 18, 2023

cgwalters changed the title ~~shadow files are user readeable~~ shadow files are user readable May 18, 2023

cgwalters added priority/medium difficulty/medium medium complexity/difficutly issue labels May 31, 2023

cgwalters mentioned this issue Jul 12, 2023

sysusers: remove bin entries and get systemd.post: /etc/gshadow: Group "bin" already exists. coreos/fedora-coreos-tracker#1525

Closed

travier mentioned this issue Apr 9, 2024

CVE-2024-2905: passwd: create /etc/[g]shadow with mode 0 & unit: chmod /etc/[g]shadow[-] to 0000 #4911

Merged

cgwalters closed this as completed in #4911 Apr 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

shadow files are user readable #4401

shadow files are user readable #4401

champtar commented May 9, 2023

cgwalters commented May 18, 2023

champtar commented May 18, 2023

champtar commented May 26, 2023 •

edited

Loading

shadow files are user readable #4401

shadow files are user readable #4401

Comments

champtar commented May 9, 2023

cgwalters commented May 18, 2023

champtar commented May 18, 2023

champtar commented May 26, 2023 • edited Loading

champtar commented May 26, 2023 •

edited

Loading