FS#63248 : [shadow] Install newuidmap/newgidmap with fs caps instead of suid

FS#63248 - [shadow] Install newuidmap/newgidmap with fs caps instead of suid

Attached to Project: Arch Linux
Opened by Jensen McKenzie (your_doomsday) - Sunday, 21 July 2019, 20:16 GMT
Last edited by Dave Reisner (falconindy) - Thursday, 08 August 2019, 01:16 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Dave Reisner (falconindy)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Jensen McKenzie (your_doomsday) (2019-07-21)
Private	No

Details

Description:

Since 4.7 version upstream supports installing newuidmap/newgidmap with CAP_SETUID and CAP_SETGID (respectively) file system capability instead of full SUID binary ('--with-fcaps' config option). This is much recommended for better security.

https://github.com/shadow-maint/shadow/commit/70971457b761cdd6cd507acfc935295b4f3f237f

This task depends upon

Closed by Dave Reisner (falconindy)
Thursday, 08 August 2019, 01:16 GMT
Reason for closing: Fixed
Additional comments about closing: shadow 4.7-2

Comment by Dave Reisner (falconindy) - Thursday, 01 August 2019, 18:04 GMT

Unfortunately pacman doesn't support unpacking of xattrs in package tarballs, so this needs to be done via an install scriptlet. Pushing a -2 to testing with this change.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#63248 - [shadow] Install newuidmap/newgidmap with fs caps instead of suid

Details

Loading...