[Pkg-shadow-devel] Bug#827479: newgrp: use CAP_SETGID instead of setuid on platforms that support it

Laurent Bigonville bigon at debian.org
Tue Mar 9 18:31:01 GMT 2021


Package: login
Version: 1:4.8.1-1
Followup-For: Bug #827479

Hello,

The executables installed by newgrp and uidmap are still today setuid
instead of using capabilities

When looking at the build system, it seems tha the newuidmap and
newgidmap are actually meant use the file capabilities instead of being
setuid:


src/Makefile.am:	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
src/Makefile.am:	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Versions of packages login depends on:
ii  libaudit1       1:3.0-2
ii  libc6           2.31-9
ii  libcrypt1       1:4.4.17-1
ii  libpam-modules  1.4.0-6
ii  libpam-runtime  1.4.0-6
ii  libpam0g        1.4.0-6

login recommends no packages.

login suggests no packages.

-- no debconf information



More information about the Pkg-shadow-devel mailing list