FS#63248 - [shadow] Install newuidmap/newgidmap with fs caps instead of suid

Attached to Project: Arch Linux
Opened by Jensen McKenzie (your_doomsday) - Sunday, 21 July 2019, 20:16 GMT
Last edited by Dave Reisner (falconindy) - Thursday, 08 August 2019, 01:16 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Since 4.7 version upstream supports installing newuidmap/newgidmap with CAP_SETUID and CAP_SETGID (respectively) file system capability instead of full SUID binary ('--with-fcaps' config option). This is much recommended for better security.

https://github.com/shadow-maint/shadow/commit/70971457b761cdd6cd507acfc935295b4f3f237f
This task depends upon

Closed by  Dave Reisner (falconindy)
Thursday, 08 August 2019, 01:16 GMT
Reason for closing:  Fixed
Additional comments about closing:  shadow 4.7-2
Comment by Dave Reisner (falconindy) - Thursday, 01 August 2019, 18:04 GMT
Unfortunately pacman doesn't support unpacking of xattrs in package tarballs, so this needs to be done via an install scriptlet. Pushing a -2 to testing with this change.

Loading...