FS#64836 - [shadow] useradd, groupadd, etc. are now setuid-root

Attached to Project: Arch Linux
Opened by Nicolas I. (IooNag) - Saturday, 14 December 2019, 18:40 GMT
Last edited by Levente Polyak (anthraxx) - Sunday, 15 December 2019, 21:10 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Critical
Priority Immediate
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



shadow 4.7-3 installs several programs as setuid-root that can create or remove user and groups (useradd, userdel, groupadd, groupdel...). These programs did not have the setuid-root bit before. For example, shadow 4.7-2 (downloadable from https://archive.archlinux.org/packages/s/shadow/) installed these programs without the setuid bit.

According to the git history of package shadow, the only major change between 4.7-2 and 4.7-3 is https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/shadow&id=031c7149a15ab0f8a4b49835b9b10773176a40cc, which refers to a bug which seems unrelated to this package ( FS#64106  is about elasticsearch, https://bugs.archlinux.org/task/64106). This is very confusing. In my humble opinion, I expect a change such as adding setuid-root flags to existing programs to be documented at least in the commit message that introduces the change. Did I miss something in this regards?

Additional info:
* package version: shadow-4.7-3
* config: Arch Linux x86-64

Steps to reproduce:

* Run ls -l /usr/bin/{groupadd,groupdel,groupmod,useradd,userdel,usermod}
* Observe "-rwsr-xr-x 1 root root" at the beginning of every line
This task depends upon

Closed by  Levente Polyak (anthraxx)
Sunday, 15 December 2019, 21:10 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.8-1
Comment by Jensen McKenzie (your_doomsday) - Sunday, 15 December 2019, 16:46 GMT
I believe the bug linked in commit was a typo and it should point to https://bugs.archlinux.org/task/64016 instead however this still doesn't clear that those setuid changes were intentional.
Comment by Dave Reisner (falconindy) - Sunday, 15 December 2019, 20:14 GMT
The problem is the backport of upstream commit e293aa9cfca0619a63616af75, authored by yours truly. I really just wanted to fix one of the many bugs in shadow's build system, and this is the thanks I get.

To be clear, the full list of affected binaries is: chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod

There's a new build of shadow, so I'm going to push that into testing with --disable-account-tools-setuid.
Comment by Eli Schwartz (eschwartz) - Sunday, 15 December 2019, 20:21 GMT
Dave, what's the story with https://github.com/shadow-maint/shadow/pull/197 ?

I would have thought such distros could simply configure with --bindir and --sbindir, right?