Hi, Looking at what's upstream, it appears that the difference between your version and upstream is the following diff. I have some questions about a couple of the additions:
--- upstream/usr.bin.passwd 2014-06-26 15:13:56.154844301 -0700
+++ new/usr.bin.passwd 2014-11-24 14:08:13.307951734 -0800
@@ -1,5 +1,4 @@
-# vim:syntax=apparmor
-# Last Modified: Sat Jan 6 09:35:33 2007
+# Last Modified: Fri Feb 28 19:31:33 2014
# ------------------------------------------------------------------
#
# Copyright (C) 2006 Volker Kuhlmann
@@ -17,19 +16,27 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
+ #include <abstractions/wutmp>
This looks fine, I think.
capability chown,
+ capability fsetid,
Any idea what passwd would be doing that it would need this capability?
I'm unclear why passwd would ever be messing with the permissions on a
setuid/setgid file or directory.
capability sys_resource,
- /etc/.pwd.lock w,
+
+
+ /etc/.pwd.lock wk,
Looks fine.
+ /etc/nshadow rw,
Similar question about nshadow. It looks to be a file left around from
running pwconv; why would passwd be making use of it? Does passwd have
the ability to do shadow conversion, too?
/etc/pwdutils/logging r,
/etc/shadow rwl,
/etc/shadow.old rwl,
/etc/shadow.tmp?????? rwl,
+ /proc/*/loginuid r,
I'm actually surprised we don't see more of this. A better rule would
probably be:
+ @{PROC}/@{pid}/loginuid r,
since I doubt passwd is looking at other process' loginuid.
/usr/bin/passwd mr,
/usr/lib/pwdutils/lib*.so* mr,
/usr/lib64/pwdutils/lib*.so* mr,
/usr/share/cracklib/pw_dict.hwm r,
/usr/share/cracklib/pw_dict.pwd r,
/usr/share/cracklib/pw_dict.pwi r,
+
}
--
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
