FS#71656 - [shadow] setuid/setgid bits may not be cleared, due to implicit dependency on coreutils
Attached to Project:
Arch Linux
Opened by Florian Albertz (rlnm) - Thursday, 29 July 2021, 16:46 GMT
Last edited by David Runge (dvzrv) - Wednesday, 19 October 2022, 21:51 GMT
Opened by Florian Albertz (rlnm) - Thursday, 29 July 2021, 16:46 GMT
Last edited by David Runge (dvzrv) - Wednesday, 19 October 2022, 21:51 GMT
|
Details
# Description:
The install script of the shadow package implicitly depends on the `chmod` command to strip the setuid and setgid bits from the extracted binaries. This results in inconsistent behavior if we install the entirety of `base`, because pacman may decide to install shadow before it installs coreutils. The install process then succeeds but the binaries keep their setuid and setgid bits. I guess an easy fix would be to make shadow depend on coreutils? # Additional Infos: * Bug resulting in install script which strips permissions: https://bugs.archlinux.org/task/63248 # Steps to reproduce: * Set up a new root directory by installing base using pacman --root/pacstrap a couple of times. Sometimes /usr/bin/newuidmap and /usr/bin/newgidmap will have their setuid/setgid bits set and sometimes they won't. |
This task depends upon
Closed by David Runge (dvzrv)
Wednesday, 19 October 2022, 21:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with shadow >= 4.11.1-2
Wednesday, 19 October 2022, 21:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with shadow >= 4.11.1-2
https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L35
https://gitlab.archlinux.org/pacman/pacman/-/commit/3a23abb2ec0c99d74719f97dcc9d097a105fe42b
https://gitlab.archlinux.org/pacman/pacman/-/commit/88d054093c1c99a697d95b26bd9aad5bc4d8e170
This should be fixed with 4.11.1-2 (since https://github.com/archlinux/svntogit-packages/commit/e714e12403efb4ffa4ad4becf21f320dc1c347fa).
@lukpod: If the use of xattr is fixed in pacman, then we can also drop the install file. I'll do a test with it in the coming days.
Either way: This ticket is resolved with shadow >= 4.11.1-2