Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 47208

Summary: sys-apps/shadow: SUID set wrong.
Product: Gentoo Linux Reporter: Philipp Kern <phil>
Component: New packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Philipp Kern 2004-04-08 06:08:46 UTC 
Out of security reasons -- as in most of the other packages -- the suid binaries should be set 4711 to deny read access to non-root.

This affects in this package:
-rwsr-xr-x  1 root 28304 Feb 16 06:11 /bin/su
-rwsr-xr-x  1 root 37484 Feb 16 06:11 /usr/bin/chfn
-rwsr-xr-x  1 root 33456 Feb 16 06:11 /usr/bin/chsh
-rwsr-xr-x  1 root 47912 Feb 16 06:11 /usr/bin/chage
-rwsr-xr-x  1 root 23944 Feb 16 06:11 /usr/bin/expiry
-rwsr-xr-x  1 root 28136 Feb 16 06:11 /usr/bin/newgrp
-rwsr-xr-x  1 root 35080 Feb 16 06:11 /usr/bin/passwd
-rwsr-xr-x  1 root 47872 Feb 16 06:11 /usr/bin/gpasswd
Comment 1 solar (RETIRED) gentoo-dev 2004-07-05 06:30:40 UTC 
Philipp,
I agree however some people don't. 
Which is why I came up with FEATURES="sfperms"

hardened/embedded/selinux/uclibc profiles set this FEATURE by default. 
Maybe one day the other profiles will set it as well. (it's never caused a single problem)

Anyway here is a description of the feature.

#  'sfperms'     feature for security minded people that causes portage to 
#                remove group+other readable bits on setuid files and
#                remove the other readable bits on setgid files.

-rws--x--x  1 root root 33196 Jul  3 05:20 /bin/su
-rws--x--x  1 root root 37244 Jul  3 05:20 /usr/bin/chage
-rws--x--x  1 root root 31244 Jul  3 05:20 /usr/bin/chfn
-rws--x--x  1 root root 29856 Jul  3 05:20 /usr/bin/chsh
-rws--x--x  1 root root 17692 Jul  3 05:20 /usr/bin/expiry
-rws--x--x  1 root root 38120 Jul  3 05:20 /usr/bin/gpasswd
-rws--x--x  1 root root 21020 Jul  3 05:20 /usr/bin/newgrp
-rws--x--x  1 root root 39080 Jul  3 05:20 /usr/bin/passwd
Comment 2 SpanKY gentoo-dev 2004-10-09 20:29:03 UTC 
added to shadow-4.0.4.1-r4