Your message dated Tue, 27 Aug 2024 13:47:43 -0600
with message-id <[email protected]>
and subject line Re: Bug#1078688: Please use filecaps for /usr/sbin/unix_chkpwd
instead of setgid shadow
has caused the Debian Bug report #1078688,
regarding Please use filecaps for /usr/sbin/unix_chkpwd instead of setgid shadow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1078688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-modules
Version: 1.5.3-7
Dear Maintainer,
As described in https://github.com/linux-pam/linux-pam/pull/373,
unix_chkpwd does not need to be setuid or setgid anymore if it is
given cap_dac_override via filecaps instead. I would like debian to
use filecaps instead of setgid shadow for /usr/sbin/unix_chkpwd so
that the file itself can be owned by root:root and the setgid bit can
be removed from the file. Having all files in /usr owned by root:root
is useful for image builders as it allows building debian images in a
stripped down user namespace with only the root user and nothing else
available.
Cheers,
Daan
--- End Message ---
--- Begin Message ---
Hi.
I've reviewed the situation with a couple of others whose view on
security I value.
Unfortunately, I think that sgid shadow does a better job of
representing least privilege than either DAC_OVERRIDE (or as Luca
suggests) DAC_READ.
I do not think that this change would be a net benefit for Debian
systems where uids and setgid bits can be represented in the image.
I do agree that it would be desirable to support container images where
only one uid is required.
To that end, I definitely think it is important that Debian PAM work if
unix_chkpwd has DAC_READ
I believe this requires no action.
I think it would be great if we worked toward a solution where we could
create such containers.
I'm imagining for example a mechanism where you could run some command
to convert an image requiring more than one uid into an image requiring
one uid.
If there were a mechanism where a package like pam could support
registering what transformations it required, I would be interested in
participating in such a mechanism.
(And presumably having a way to trigger this from bootstrapping)
I do not support making the transformation you propose in the default
installation of Debian PAM.
signature.asc
Description: PGP signature
--- End Message ---