Date: Thursday, November 10, 2022 @ 08:08:44
Author: eworm
Revision: 461078
upgpkg: shadow 4.12.3-2: give CAP_DAC_READ_SEARCH to shadow.service...
... and allow it to read /etc/{,g}shadow without read permission.
Modified:
shadow/trunk/PKGBUILD
shadow/trunk/shadow.service
----------------+
PKGBUILD | 6 +++---
shadow.service | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-11-10 07:38:40 UTC (rev 461077)
+++ PKGBUILD 2022-11-10 08:08:44 UTC (rev 461078)
@@ -4,7 +4,7 @@
pkgname=shadow
pkgver=4.12.3
-pkgrel=1
+pkgrel=2
pkgdesc="Password and account management tool suite with support for shadow
files and PAM"
arch=(x86_64)
url="https://github.com/shadow-maint/shadow";
@@ -41,7 +41,7 @@
'e8418e6d518101be63e7890254f9a0490f94302882689a0b69601186c9f1915831a34bb6998dbc92b753bff3f762793a7ccade66c2bac2d7b7a77d1a861d5cb7'
'4e6b1f88ab1e3416ab0633b897ebb1359d422b5c2222f3ed3631732f790c42352d1cbe66fa08f45eb2e1679af8f602a95fcc7f463f1bba94c2414e902a4fa215'
'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621'
-
'cbcaf50bc48da71caa1f97a1a5789e56004e9507a56680ce73e4e23b9c4fa446bc47aeb50b821324d4a86df2158f051f2d8f89089a90d0f723866c3cde16fe60'
+
'86c9412e379c0fc97c0eec417340adae990342f35d6663a6a59e8aae2221a5fbfd0437b5892aefd9cf09ef76a970f3a42b20cea051db651475d526eda17a973a'
'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8')
b2sums=('63b10d75a11d419156a996b8acf1bebbfab28999c2ab796e6625c028882073d4021806d8b56224190886c076a1205955e7797cb6f797ef73af3a8a33ac34bf2f'
'SKIP'
@@ -50,7 +50,7 @@
'9715184569ca6769b31c01a58a1c8a0b5bb8099f6c07a888a2e0fab6748ac18eed7dd4297cc98449fd2a123cff6b027ab757d34a4cad113a4d9e5e02b28bb668'
'f11abd5dbe0cc4029eb8e7eb101d95f0fbf48550bdab73ebea1f25a5bc9a401713061832bf494d614711d834ab1e79ef14831bc8a2d18b8980fcb2fe7e0fe5c3'
'5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b'
-
'860d05baed87715d30b353c7d34b8f3dc0cf82926155d7e65695bff7c799388dfce998b7c83d0d1ccd9c5a1c6990c93c9f4a864582a9c342c675150d473939ea'
+
'be9d8a7424143791e61d61b01c775e3a10dd6b6a1a7af13081bc00e400e880a209240dcceb09c671de41fbdf18373f1195aa8a559cf935122ba5d1312ed8dab2'
'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879')
validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn
<[email protected]>
Modified: shadow.service
===================================================================
--- shadow.service 2022-11-10 07:38:40 UTC (rev 461077)
+++ shadow.service 2022-11-10 08:08:44 UTC (rev 461078)
@@ -3,7 +3,7 @@
After=systemd-sysusers.service
[Service]
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# Always run both checks, but fail the service if either fails
ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r'
Nice=19
