shadow should use capabilities instead of suid root for new{g,u}idmap binaries. According to https://github.com/shadow-maint/shadow/blob/master/libmisc/idmapping.c#L124 this is superior from a functionality perspective. And I think from a security perspective less binaries with suid root are preferable as well. Reproducible: Always
We'll have to do it conditionally as not all filesystems support caps. Thanks!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16921604a6bd3ec292570577a472d18aebe60389 commit 16921604a6bd3ec292570577a472d18aebe60389 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-17 02:29:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-17 02:32:11 +0000 sys-apps/shadow: backport password leak fix, backport usermod gid --prefix fix Bug: https://bugs.gentoo.org/908613 Closes: https://bugs.gentoo.org/894754 Signed-off-by: Sam James <sam@gentoo.org> .../shadow/files/shadow-4.13-password-leak.patch | 135 +++++++++++ .../files/shadow-4.13-usermod-prefix-gid.patch | 33 +++ sys-apps/shadow/shadow-4.13-r4.ebuild | 268 +++++++++++++++++++++ 3 files changed, 436 insertions(+)
Sorry, tagged wrong bug.