Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 647
    • Issues 647
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 172
    • Merge Requests 172
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #11730

Closed
Open
Opened Jul 09, 2020 by webstrand@webstrand
  • Report abuse
  • New issue
Report abuse New issue

Busybox /bin/su and /bin/login bypass PAM configuration when using linux-pam

On systems using linux-pam, where a more restrictive authentication mechanism is used—such as pam_yubico.so—the Busybox binaries /bin/su and /bin/login are not PAM-aware and bypass the PAM configuration. This may be a vulnerability on some systems, since su cannot be disabled without also disabling its multi-call binary /bin/bbsuid.

Busybox could be built with PAM support by setting CONFIG_PAM=y in its configuration. Adding the packages busybox-pam and busybox-suid-pam would fix the issue.

Alternatively, the shadow package is PAM aware and provides replacement binaries for su, login, passwd, and chpasswd. But removing busybox-suid is still problematic, and as long as it's available on the system, it may be a vulnerability.

Edited Jul 09, 2020 by webstrand
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
0
Labels
None
Assign labels
  • View project labels
Reference: alpine/aports#11730