Bug 1214018

Summary: AUDIT-WHITELIST: shadow: permissions for newgidmap/newuidmap for shadow 4.14.0
Product: [openSUSE] openSUSE Tumbleweed Reporter: Michael Vetter <mvetter>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kukuk, matthias.gerstner
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Michael Vetter 2023-08-07 06:29:47 UTC 
When packaging RC2 of shadow 4.14.0 (which should be released the next days) I get:
shadow.x86_64: E: permissions-incorrect-owner /usr/bin/newgidmap belongs to root:shadow but should be root:root
shadow.x86_64: E: permissions-incorrect /usr/bin/newgidmap has mode 04755 but should be 0755

In our spec file we have so far:
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap

Could adapt the permissions package when we release shadow 4.14.0?
Comment 1 Matthias Gerstner 2023-08-07 10:17:51 UTC 
Hi Michael,

didn't we purposefully remove the setuid bit and shadow group in bug 1208309?

See also https://github.com/openSUSE/permissions/commit/dd301b149e0adc4ee05ff206d4f85953c43440ba
Comment 2 Matthias Gerstner 2023-09-05 08:14:28 UTC 
Any new insights here? Is there an actual problem with this or can we close
the bug?
Comment 3 Michael Vetter 2023-09-05 08:30:56 UTC 
Hi Matthias,

sorry I overlooked your response!

And you are absolutely right. I read up on our earlier conversation and we did this intentionally. Sorry for the noise!