Bug#155583: libpam-modules: does unix_chkpwd have to be SUID root?

[Steve Langasek]

clone 155583 -1
tags -1 = patch
reassign -1 nis
title -1 nis: please use dpkg-statoverride for /sbin/unix_chkpwd
severity -1 important
user [EMAIL PROTECTED]
usertags -1 ubuntu-patch origin-ubuntu intrepid
thanks

Hi Mark,

So the latest upstream version of Linux-PAM, which I'm now merging into
Debian, has split out the selinux password updating functionality into a
separate binary (which doesn't need to be suid in any case); so I think it's
time for Debian to move forward with dropping /sbin/unix_chkpwd to sgid
shadow by default.

At this point in time, I believe this would be the correct thing to do for
lenny even if the nis package were not updated to match; however, a patch is
readily available, so I don't think it should be a problem to get both
packages updated for lenny (and I'm happy to NMU nis if you would like). 
The patch from the Ubuntu nis package is attached.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[EMAIL PROTECTED]                                     [EMAIL PROTECTED]

diff -u nis-3.17/debian/postinst nis-3.17/debian/postinst
--- nis-3.17/debian/postinst
+++ nis-3.17/debian/postinst
@@ -95,2 +95,8 @@
 
+# /sbin/unix_chkpwd is installed setgid shadow by default; for NIS we need
+# setuid root. (See #155583)
+if ! dpkg-statoverride --list /sbin/unix_chkpwd >/dev/null; then
+    dpkg-statoverride --update --add root root 4755 /sbin/unix_chkpwd
+fi
+
 exit 0
diff -u nis-3.17/debian/prerm nis-3.17/debian/prerm
--- nis-3.17/debian/prerm
+++ nis-3.17/debian/prerm
@@ -16,6 +16,16 @@
 		else
 			echo WARNING: init script for NIS has been removed - daemons may not be stopped.
 		fi
+
+                # /sbin/unix_chkpwd is installed setgid shadow by default; for NIS we need
+                # setuid root, so the postinst installed a statoverride. (See
+                # #155583) Remove that override again here.
+                if OVR=$(dpkg-statoverride --list /sbin/unix_chkpwd) && \
+                    [ "$OVR" == "root root 4755 /sbin/unix_chkpwd" ]; then
+                    dpkg-statoverride --remove /sbin/unix_chkpwd
+                    chown root:shadow /sbin/unix_chkpwd
+                    chmod 2755 /sbin/unix_chkpwd
+                fi
 		;;
 	failed-upgrade)
 		;;