Bug 1214018 - AUDIT-WHITELIST: shadow: permissions for newgidmap/newuidmap for shadow 4.14.0
Summary: AUDIT-WHITELIST: shadow: permissions for newgidmap/newuidmap for shadow 4.14.0
Status: RESOLVED INVALID
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-07 06:29 UTC by Michael Vetter
Modified: 2023-09-05 08:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2023-08-07 06:29:47 UTC 
When packaging RC2 of shadow 4.14.0 (which should be released the next days) I get:
shadow.x86_64: E: permissions-incorrect-owner /usr/bin/newgidmap belongs to root:shadow but should be root:root
shadow.x86_64: E: permissions-incorrect /usr/bin/newgidmap has mode 04755 but should be 0755

In our spec file we have so far:
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap

Could adapt the permissions package when we release shadow 4.14.0?
Comment 1 Matthias Gerstner 2023-08-07 10:17:51 UTC 
Hi Michael,

didn't we purposefully remove the setuid bit and shadow group in bug 1208309?

See also https://github.com/openSUSE/permissions/commit/dd301b149e0adc4ee05ff206d4f85953c43440ba
Comment 2 Matthias Gerstner 2023-09-05 08:14:28 UTC 
Any new insights here? Is there an actual problem with this or can we close
the bug?
Comment 3 Michael Vetter 2023-09-05 08:30:56 UTC 
Hi Matthias,

sorry I overlooked your response!

And you are absolutely right. I read up on our earlier conversation and we did this intentionally. Sorry for the noise!