>>>>> "Daan" == Daan De Meyer <daan.j.deme...@gmail.com> writes:
Daan> Dear Maintainer, As described in
Daan> https://github.com/linux-pam/linux-pam/pull/373, unix_chkpwd
Daan> does not need to be setuid or setgid anymore if it is given
Daan> cap_dac_override via filecaps instead. I would like debian to
Daan> use filecaps instead of setgid shadow for
Daan> /usr/sbin/unix_chkpwd so that the file itself can be owned by
Daan> root:root and the setgid bit can be removed from the
Daan> file. Having all files in /usr owned by root:root is useful
Daan> for image builders as it allows building debian images in a
Daan> stripped down user namespace with only the root user and
Daan> nothing else available.
My inclination is to mark this bug wontfix.
The principle of least privilege says that we should not give a
executable more privilege than it needs.
DAC_OVERRIDE is significant privilege--almost certainly enough privilege
to compromise the system entirely.
In contrast, sgid shadow is significantly less privilege.
I'd like to find a way to support the image building use case, but not
at the expense of security for the rest of the world.
Do you have any suggestions for how we can meet both of our needs?
