From d52ab1dd72b9e65cdeebb76c6cea77f5aca24170 Mon Sep 17 00:00:00 2001
From: mzfr <github@mzfr.in>
Date: Thu, 12 Feb 2026 12:15:49 +0800
Subject: [PATCH] Added security testbed for osv scalibr pammisconfig

https://github.com/google/osv-scalibr/pull/1705
---
 pammisconfig/Dockerfile     | 28 ++++++++++++++++++++++++++++
 pammisconfig/README.md      | 20 ++++++++++++++++++++
 pammisconfig/etc/pam.conf   | 17 +++++++++++++++++
 pammisconfig/etc/pam.d/sshd | 17 +++++++++++++++++
 pammisconfig/etc/pam.d/sudo | 15 +++++++++++++++
 5 files changed, 97 insertions(+)
 create mode 100644 pammisconfig/Dockerfile
 create mode 100644 pammisconfig/README.md
 create mode 100644 pammisconfig/etc/pam.conf
 create mode 100644 pammisconfig/etc/pam.d/sshd
 create mode 100644 pammisconfig/etc/pam.d/sudo

diff --git a/pammisconfig/Dockerfile b/pammisconfig/Dockerfile
new file mode 100644
index 00000000..2e10561a
--- /dev/null
+++ b/pammisconfig/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:22.04
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends libpam-modules \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/pam.d /app
+
+COPY etc/pam.d/ /etc/pam.d/
+COPY etc/pam.conf /etc/pam.conf
+
+WORKDIR /app
+
+CMD ["/bin/bash"]
diff --git a/pammisconfig/README.md b/pammisconfig/README.md
new file mode 100644
index 00000000..9c2c69fa
--- /dev/null
+++ b/pammisconfig/README.md
@@ -0,0 +1,20 @@
+# PAM Misconfiguration Testbed
+
+This testbed exercises the SCALIBR PAM misconfiguration detector. It provides
+intentionally vulnerable PAM configurations under `/etc/pam.d/` and the legacy
+`/etc/pam.conf` file to trigger all detection checks.
+
+## Build & Run
+
+```sh
+docker build -t pammisconfig-testbed .
+docker run -it --rm -v $(pwd):/app pammisconfig-testbed
+```
+
+## Vulnerability Coverage
+
+| File | Triggered checks |
+| --- | --- |
+| `/etc/pam.d/sshd` | pam_permit bypass, pam_succeed_if broad condition, nullok auth option |
+| `/etc/pam.d/sudo` | pam_permit as only optional auth module (only auth entry) |
+| `/etc/pam.conf` | pam_permit bypass, pam_succeed_if broad condition, nullok auth option |
diff --git a/pammisconfig/etc/pam.conf b/pammisconfig/etc/pam.conf
new file mode 100644
index 00000000..d3b22ea0
--- /dev/null
+++ b/pammisconfig/etc/pam.conf
@@ -0,0 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sshd auth sufficient pam_permit.so
+sshd auth sufficient pam_succeed_if.so uid >= 1000
+sshd auth sufficient pam_unix.so nullok
diff --git a/pammisconfig/etc/pam.d/sshd b/pammisconfig/etc/pam.d/sshd
new file mode 100644
index 00000000..dc248335
--- /dev/null
+++ b/pammisconfig/etc/pam.d/sshd
@@ -0,0 +1,17 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+auth sufficient pam_permit.so
+auth sufficient pam_succeed_if.so uid >= 1000
+auth sufficient pam_unix.so nullok
diff --git a/pammisconfig/etc/pam.d/sudo b/pammisconfig/etc/pam.d/sudo
new file mode 100644
index 00000000..2bf8c917
--- /dev/null
+++ b/pammisconfig/etc/pam.d/sudo
@@ -0,0 +1,15 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+auth optional pam_permit.so