Out of security reasons -- as in most of the other packages -- the suid binaries should be set 4711 to deny read access to non-root. This affects in this package: -rwsr-xr-x 1 root 28304 Feb 16 06:11 /bin/su -rwsr-xr-x 1 root 37484 Feb 16 06:11 /usr/bin/chfn -rwsr-xr-x 1 root 33456 Feb 16 06:11 /usr/bin/chsh -rwsr-xr-x 1 root 47912 Feb 16 06:11 /usr/bin/chage -rwsr-xr-x 1 root 23944 Feb 16 06:11 /usr/bin/expiry -rwsr-xr-x 1 root 28136 Feb 16 06:11 /usr/bin/newgrp -rwsr-xr-x 1 root 35080 Feb 16 06:11 /usr/bin/passwd -rwsr-xr-x 1 root 47872 Feb 16 06:11 /usr/bin/gpasswd
Philipp, I agree however some people don't. Which is why I came up with FEATURES="sfperms" hardened/embedded/selinux/uclibc profiles set this FEATURE by default. Maybe one day the other profiles will set it as well. (it's never caused a single problem) Anyway here is a description of the feature. # 'sfperms' feature for security minded people that causes portage to # remove group+other readable bits on setuid files and # remove the other readable bits on setgid files. -rws--x--x 1 root root 33196 Jul 3 05:20 /bin/su -rws--x--x 1 root root 37244 Jul 3 05:20 /usr/bin/chage -rws--x--x 1 root root 31244 Jul 3 05:20 /usr/bin/chfn -rws--x--x 1 root root 29856 Jul 3 05:20 /usr/bin/chsh -rws--x--x 1 root root 17692 Jul 3 05:20 /usr/bin/expiry -rws--x--x 1 root root 38120 Jul 3 05:20 /usr/bin/gpasswd -rws--x--x 1 root root 21020 Jul 3 05:20 /usr/bin/newgrp -rws--x--x 1 root root 39080 Jul 3 05:20 /usr/bin/passwd
added to shadow-4.0.4.1-r4