Bug#827479: newgrp: use CAP_SETGID instead of setuid on platforms that support it

2021-03-09 Thread Laurent Bigonville 
Package: login
Version: 1:4.8.1-1
Followup-For: Bug #827479

Hello,

The executables installed by newgrp and uidmap are still today setuid
instead of using capabilities

When looking at the build system, it seems tha the newuidmap and
newgidmap are actually meant use the file capabilities instead of being
setuid:


src/Makefile.am:setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
src/Makefile.am:setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Versions of packages login depends on:
ii  libaudit1   1:3.0-2
ii  libc6   2.31-9
ii  libcrypt1   1:4.4.17-1
ii  libpam-modules  1.4.0-6
ii  libpam-runtime  1.4.0-6
ii  libpam0g1.4.0-6

login recommends no packages.

login suggests no packages.

-- no debconf information

Bug#827479: newgrp: use CAP_SETGID instead of setuid on platforms that support it

2016-06-16 Thread Daniel Kahn Gillmor 
Package: login
Version: 1:4.2-3.1
Severity: normal

newgrp is currently setuid root.  Since the only superuser activity it
is supposed to execute is changing group status, it would be safer to
use setcap CAP_SETGID instead.

the iputils-ping package made this transition for ping.  That package
Recommends: libcap2-bin, and has a postinst containing:

if [ "$1" = configure ]; then
# If we have setcap is installed, try setting cap_net_raw+ep,
# which allows us to install our binaries without the setuid
# bit.
if command -v setcap > /dev/null; then
if setcap cap_net_raw+ep /bin/ping; then
chmod u-s /bin/ping
else
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
chmod u+s /bin/ping
fi
else
echo "Setcap is not installed, falling back to setuid" >&2
chmod u+s /bin/ping
fi
fi


It would be great to do a similar thing for newgrp.

   --dkg



-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing'), (200, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages login depends on:
ii  libaudit1   1:2.5.2-1
ii  libc6   2.22-11
ii  libpam-modules  1.1.8-3.3
ii  libpam-runtime  1.1.8-3.3
ii  libpam0g1.1.8-3.3

login recommends no packages.

login suggests no packages.

-- debconf-show failed