I am posting this Security MIR on behalf of Sudhakar Verma (@sudhackar)
since he is out of the office.
---
I reviewed authd 0.2.1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
authd is a service that builds cloud based authentication and MFA from clouds
such as Open ID connect or Microsoft Azure / Entra ID. This is also a
framework that will help create authentication broker services.
- CVE History
- no CVE found
- Build-Depends
- pam related libraries
- libpam0g-dev
- language runtimes
- golang-go
- dh-cargo
- jq
- protobuf-compiler
- pre/post inst/rm scripts
- add/remove authd to /etc/nsswitch.conf
- init scripts
- No
- systemd units
- Creates 'authd.service' - which is expected since this is a service to
manage
the authentication with a daemon
- dbus services
- No
- setuid binaries
- No
- binaries in PATH
- /usr/sbin/authd
- sudo fragments
- No
- polkit files
- No
- udev rules
- No
- unit tests / autopkgtests
- unit tests and autopkgtests are there and working quite fine
- cron jobs
- No
- Build logs
- some warnings from tests and autopkgtests but nothing major
- Processes spawned
- gpasswd is spawned to manage user - groups associations. The path seems to
be hardcoded
- Memory management
- code is mostly go - some glue for handling native libs in rust and C
but no problems seen there. The tests cover the cases well.
- File IO
- the daemon relies on a database file, config files and files related to
user accounts - like /etc/group. The config files could be based in user's
home, /etc - nothing concerning. Seems safe.
- Logging
- logrus is used - under vendor. Seems safe.
- Environment variable usage
- Used to enable debugging, PAM specific glue, DBUS etc. Seems safe.
- Use of privileged functions
- No
- Use of cryptography / random number sources etc
- RNG - uses crypto/rand from stdlib which is a CSPRNG. Seems safe.
- Cryptography - Uses RSA from crypto/rsa - PKCS #1 and RFC 8017 for PAM
side encryption. Seems safe.
- Hashing - Only uses sha512 from crypto/sha512. Seems safe.
- Use of temp files
- only while testing. Seems safe.
- Use of networking
- All networking is done through unix sockets within PAM. Seems safe.
- Use of WebKit
- No.
- Use of PolicyKit
- No.
- Any significant cppcheck results
- No
- Any significant Coverity results
- No
- Any significant shellcheck results
- No. authd only has scripts which are used during building.
- Any significant bandit results
- No
- Any significant govulncheck results
- No
- Any significant Semgrep results
- go.grpc.security.grpc-server-insecure-connection
- The connection is through a unix socket, so it's only accessible locally
and is within PAM, so we are protected by the pam stack as well.
- go.lang.security.audit.dangerous-exec-command
- The command is static - 'gpasswd' as defined in defaultOptions,
so this is an FP.
authd is a daemon that implements managing user authentication and related
services like MFA. It can be used to integrate with different auth providers
with our own brokers by exposing a dbus interface. It maintains a database
at runtime locally to handle user accounts. It also exposes NSS and PAM
services over grpc.
What this basically means is - authd is a complex project that talks to various
services and exposes a few of its own - its stateful and is a daemon. It also
handles authentication - one of the key foundation to security of a system.
However the project looks good in terms of maintainability. There re plenty
of integration, unit and end to end tests. The project is well documented, and
is well maintained. The history looks clean and the maintainers are easy to
approach and talk to.
Security team ACK for promoting authd to main.
** Changed in: authd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2048781
Title:
[MIR] authd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
