[Pkg-shadow-devel] Bug#827479: newgrp: use CAP_SETGID instead of setuid on platforms that support it
Laurent Bigonville
bigon at debian.org
Tue Mar 9 18:31:01 GMT 2021
Package: login
Version: 1:4.8.1-1
Followup-For: Bug #827479
Hello,
The executables installed by newgrp and uidmap are still today setuid
instead of using capabilities
When looking at the build system, it seems tha the newuidmap and
newgidmap are actually meant use the file capabilities instead of being
setuid:
src/Makefile.am: setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
src/Makefile.am: setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
Versions of packages login depends on:
ii libaudit1 1:3.0-2
ii libc6 2.31-9
ii libcrypt1 1:4.4.17-1
ii libpam-modules 1.4.0-6
ii libpam-runtime 1.4.0-6
ii libpam0g 1.4.0-6
login recommends no packages.
login suggests no packages.
-- no debconf information
More information about the Pkg-shadow-devel
mailing list