Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#64836 - [shadow] useradd, groupadd, etc. are now setuid-root

Attached to Project: Arch Linux
Opened by Nicolas I. (IooNag) - Saturday, 14 December 2019, 18:40 GMT
Last edited by Levente Polyak (anthraxx) - Sunday, 15 December 2019, 21:10 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Critical
Priority Immediate
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



shadow 4.7-3 installs several programs as setuid-root that can create or remove user and groups (useradd, userdel, groupadd, groupdel...). These programs did not have the setuid-root bit before. For example, shadow 4.7-2 (downloadable from installed these programs without the setuid bit.

According to the git history of package shadow, the only major change between 4.7-2 and 4.7-3 is, which refers to a bug which seems unrelated to this package ( FS#64106  is about elasticsearch, This is very confusing. In my humble opinion, I expect a change such as adding setuid-root flags to existing programs to be documented at least in the commit message that introduces the change. Did I miss something in this regards?

Additional info:
* package version: shadow-4.7-3
* config: Arch Linux x86-64

Steps to reproduce:

* Run ls -l /usr/bin/{groupadd,groupdel,groupmod,useradd,userdel,usermod}
* Observe "-rwsr-xr-x 1 root root" at the beginning of every line
This task depends upon

Closed by  Levente Polyak (anthraxx)
Sunday, 15 December 2019, 21:10 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.8-1
Comment by Jensen McKenzie (your_doomsday) - Sunday, 15 December 2019, 16:46 GMT
I believe the bug linked in commit was a typo and it should point to instead however this still doesn't clear that those setuid changes were intentional.
Comment by Dave Reisner (falconindy) - Sunday, 15 December 2019, 20:14 GMT
The problem is the backport of upstream commit e293aa9cfca0619a63616af75, authored by yours truly. I really just wanted to fix one of the many bugs in shadow's build system, and this is the thanks I get.

To be clear, the full list of affected binaries is: chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod

There's a new build of shadow, so I'm going to push that into testing with --disable-account-tools-setuid.
Comment by Eli Schwartz (eschwartz) - Sunday, 15 December 2019, 20:21 GMT
Dave, what's the story with ?

I would have thought such distros could simply configure with --bindir and --sbindir, right?