FS#71656 : [shadow] setuid/setgid bits may not be cleared, due to implicit dependency on coreutils

FS#71656 - [shadow] setuid/setgid bits may not be cleared, due to implicit dependency on coreutils

Attached to Project: Arch Linux
Opened by Florian Albertz (rlnm) - Thursday, 29 July 2021, 16:46 GMT
Last edited by David Runge (dvzrv) - Wednesday, 19 October 2022, 21:51 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Christian Hesse (eworm) David Runge (dvzrv) Giancarlo Razzolini (grazzolini)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Amin Vakil (aminvakil) (2021-07-29)
Private	No

Details

# Description:
The install script of the shadow package implicitly depends on the `chmod` command to strip the setuid and setgid bits from the extracted binaries.
This results in inconsistent behavior if we install the entirety of `base`, because pacman may decide to install shadow before it installs coreutils. The install process then succeeds but the binaries keep their setuid and setgid bits.

I guess an easy fix would be to make shadow depend on coreutils?

# Additional Infos:
* Bug resulting in install script which strips permissions: https://bugs.archlinux.org/task/63248

# Steps to reproduce:
* Set up a new root directory by installing base using pacman --root/pacstrap a couple of times. Sometimes /usr/bin/newuidmap and /usr/bin/newgidmap will have their setuid/setgid bits set and sometimes they won't.

This task depends upon

Closed by David Runge (dvzrv)
Wednesday, 19 October 2022, 21:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with shadow >= 4.11.1-2

Comment by lukpod (lukpod) - Tuesday, 28 September 2021, 21:33 GMT

https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L18
https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L35
https://gitlab.archlinux.org/pacman/pacman/-/commit/3a23abb2ec0c99d74719f97dcc9d097a105fe42b
https://gitlab.archlinux.org/pacman/pacman/-/commit/88d054093c1c99a697d95b26bd9aad5bc4d8e170

Comment by David Runge (dvzrv) - Wednesday, 19 October 2022, 21:40 GMT

The setuid/setgid bit being set has actually been the case for a long time mainly because we have not used the correct configure option.
This should be fixed with 4.11.1-2 (since https://github.com/archlinux/svntogit-packages/commit/e714e12403efb4ffa4ad4becf21f320dc1c347fa).

@lukpod: If the use of xattr is fixed in pacman, then we can also drop the install file. I'll do a test with it in the coming days.

Comment by David Runge (dvzrv) - Wednesday, 19 October 2022, 21:51 GMT

Yep, seems we can drop the .install file as well.

Either way: This ticket is resolved with shadow >= 4.11.1-2

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#71656 - [shadow] setuid/setgid bits may not be cleared, due to implicit dependency on coreutils

Details

Loading...