[Pkg-shadow-devel] Bug#857803: Bug#857803: shadow: Make the sp_lstchg shadow field reproducible.

Serge E. Hallyn serge at hallyn.com
Sun Apr 9 15:50:02 UTC 2017

Quoting Chris Lamb (lamby at debian.org):
> Hi Serge,
> > > > looks ok to me, although, would it be better to fall back to time(NULL)
> > > > if the env variable is invalid?
> > > 
> > > In my experience it is far superior to explicitly error out in this
> > > situation.
> > 
> > My concern is unprivileged users causing unexpected failure in a more
> > privileged script or program by setting an invalid environment variable.
> I hadn't considered that until now. However, I think you have bigger
> problems if you can do that (eg. manipulate PATH!) and tools generally
> do the right thing these days with respect to cleaning the environment
> (eg. sudo).

Right, sudo does but just setuid-root does not.  This env variable
is for reproducible builds, so can we check ruid==0 and ignore the
env variable if not?  Or do the build scripts also run as non-root?

More information about the Pkg-shadow-devel mailing list