* [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow
@ 2025-10-03 17:07 Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 1/4] acct-group/shadow: new package, add 0 Mike Gilbert
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Mike Gilbert @ 2025-10-03 17:07 UTC (permalink / raw
To: gentoo-dev; +Cc: Mike Gilbert
This is an idea borrowed from Debian and Alpine. It allows us to drop
suid/caps from a couple of binaries in PAM and sys-apps/shadow.
https://github.com/gentoo/gentoo/pull/44000
Mike Gilbert (4):
acct-group/shadow: new package, add 0
sys-libs/pam: wire up shadow group
sys-apps/shadow: install suid binaries as 4755
sys-apps/shadow: wire up shadow group
acct-group/shadow/metadata.xml | 7 ++++++
acct-group/shadow/shadow-0.ebuild | 22 +++++++++++++++++++
...-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} | 14 ++++++++++--
...am-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} | 14 +++++++-----
4 files changed, 49 insertions(+), 8 deletions(-)
create mode 100644 acct-group/shadow/metadata.xml
create mode 100644 acct-group/shadow/shadow-0.ebuild
rename sys-apps/shadow/{shadow-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} (94%)
rename sys-libs/pam/{pam-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} (96%)
--
2.51.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH 1/4] acct-group/shadow: new package, add 0
2025-10-03 17:07 [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow Mike Gilbert
@ 2025-10-03 17:07 ` Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 2/4] sys-libs/pam: wire up shadow group Mike Gilbert
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Mike Gilbert @ 2025-10-03 17:07 UTC (permalink / raw
To: gentoo-dev; +Cc: Mike Gilbert
GID 42 matches Debian.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
acct-group/shadow/metadata.xml | 7 +++++++
acct-group/shadow/shadow-0.ebuild | 24 ++++++++++++++++++++++++
2 files changed, 31 insertions(+)
create mode 100644 acct-group/shadow/metadata.xml
create mode 100644 acct-group/shadow/shadow-0.ebuild
diff --git a/acct-group/shadow/metadata.xml b/acct-group/shadow/metadata.xml
new file mode 100644
index 000000000000..65e1fc82d859
--- /dev/null
+++ b/acct-group/shadow/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="project">
+ <email>base-system@gentoo.org</email>
+ </maintainer>
+</pkgmetadata>
diff --git a/acct-group/shadow/shadow-0.ebuild b/acct-group/shadow/shadow-0.ebuild
new file mode 100644
index 000000000000..1637461e3eb5
--- /dev/null
+++ b/acct-group/shadow/shadow-0.ebuild
@@ -0,0 +1,24 @@
+# Copyright 2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=42
+
+pkg_postinst() {
+ # Look up the gid in ${EROOT}/etc/group.
+ # It may differ from the gid in /etc/group.
+ local gid=$(egetent group shadow | cut -d: -f3)
+ if [[ -z ${gid} ]]; then
+ eerror "Unable to determine id for shadow group"
+ return
+ fi
+ local db
+ for db in gshadow shadow; do
+ [[ -e ${EROOT}/etc/${db} ]] || continue
+ chgrp "${gid}" "${EROOT}/etc/${db}"
+ chmod g+r "${EROOT}/etc/${db}"
+ done
+}
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH 2/4] sys-libs/pam: wire up shadow group
2025-10-03 17:07 [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 1/4] acct-group/shadow: new package, add 0 Mike Gilbert
@ 2025-10-03 17:07 ` Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 3/4] sys-apps/shadow: install suid binaries as 4755 Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 4/4] sys-apps/shadow: wire up shadow group Mike Gilbert
3 siblings, 0 replies; 5+ messages in thread
From: Mike Gilbert @ 2025-10-03 17:07 UTC (permalink / raw
To: gentoo-dev; +Cc: Mike Gilbert
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
...am-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} | 23 ++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
rename sys-libs/pam/{pam-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} (92%)
diff --git a/sys-libs/pam/pam-1.7.1-r1.ebuild b/sys-libs/pam/pam-1.7.1-r2.ebuild
similarity index 92%
rename from sys-libs/pam/pam-1.7.1-r1.ebuild
rename to sys-libs/pam/pam-1.7.1-r2.ebuild
index d580d7da9dff..9f36e29ce99b 100644
--- a/sys-libs/pam/pam-1.7.1-r1.ebuild
+++ b/sys-libs/pam/pam-1.7.1-r2.ebuild
@@ -9,7 +9,7 @@ MY_P="Linux-${PN^^}-${PV}"
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
-inherit db-use fcaps flag-o-matic meson-multilib
+inherit db-use flag-o-matic meson-multilib user-info
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
@@ -42,6 +42,7 @@ REQUIRED_USE="?? ( elogind systemd )"
# meson.build specifically checks for bison and then byacc
# also requires xsltproc
BDEPEND+="
+ acct-group/shadow
|| ( sys-devel/bison dev-util/byacc )
app-text/docbook-xsl-ns-stylesheets
dev-libs/libxslt
@@ -63,7 +64,9 @@ DEPEND="
>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
)
"
-RDEPEND="${DEPEND}"
+RDEPEND="${DEPEND}
+ acct-group/shadow
+"
PDEPEND=">=sys-auth/pambase-20200616"
PATCHES=(
@@ -161,6 +164,9 @@ multilib_src_configure() {
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
+ fowners :shadow /sbin/unix_chkpwd
+ fperms g+s /sbin/unix_chkpwd
+
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
@@ -174,6 +180,15 @@ multilib_src_install_all() {
}
pkg_postinst() {
+ if [[ -n ${ROOT} ]]; then
+ # Portage does not currently update the gid on installed files
+ # based on ${EROOT}/etc/group.
+ local gid=$(egetent group shadow | cut -d: -f3)
+ if [[ -n ${gid} ]]; then
+ chgrp "${gid}" "${EROOT}/sbin/unix_chkpwd" &&
+ chmod g+s "${EROOT}/sbin/unix_chkpwd"
+ fi
+ fi
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
@@ -184,8 +199,4 @@ pkg_postinst() {
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
-
- # The pam_unix module needs to check the password of the user which requires
- # read access to /etc/shadow only.
- fcaps -m u+s cap_dac_read_search sbin/unix_chkpwd
}
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH 3/4] sys-apps/shadow: install suid binaries as 4755
2025-10-03 17:07 [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 1/4] acct-group/shadow: new package, add 0 Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 2/4] sys-libs/pam: wire up shadow group Mike Gilbert
@ 2025-10-03 17:07 ` Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 4/4] sys-apps/shadow: wire up shadow group Mike Gilbert
3 siblings, 0 replies; 5+ messages in thread
From: Mike Gilbert @ 2025-10-03 17:07 UTC (permalink / raw
To: gentoo-dev; +Cc: Mike Gilbert
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
sys-apps/shadow/shadow-4.14.8.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/shadow/shadow-4.14.8.ebuild b/sys-apps/shadow/shadow-4.14.8.ebuild
index 152675a2c38f..582d2920ae27 100644
--- a/sys-apps/shadow/shadow-4.14.8.ebuild
+++ b/sys-apps/shadow/shadow-4.14.8.ebuild
@@ -122,7 +122,7 @@ set_login_opt() {
}
src_install() {
- emake DESTDIR="${D}" suidperms=4711 install
+ emake DESTDIR="${D}" suidperms=4755 install
# 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
emake DESTDIR="${D}" -C man install
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-dev] [PATCH 4/4] sys-apps/shadow: wire up shadow group
2025-10-03 17:07 [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow Mike Gilbert
` (2 preceding siblings ...)
2025-10-03 17:07 ` [gentoo-dev] [PATCH 3/4] sys-apps/shadow: install suid binaries as 4755 Mike Gilbert
@ 2025-10-03 17:07 ` Mike Gilbert
3 siblings, 0 replies; 5+ messages in thread
From: Mike Gilbert @ 2025-10-03 17:07 UTC (permalink / raw
To: gentoo-dev; +Cc: Mike Gilbert
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
...-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} | 22 ++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
rename sys-apps/shadow/{shadow-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} (92%)
diff --git a/sys-apps/shadow/shadow-4.14.8.ebuild b/sys-apps/shadow/shadow-4.14.8-r1.ebuild
similarity index 92%
rename from sys-apps/shadow/shadow-4.14.8.ebuild
rename to sys-apps/shadow/shadow-4.14.8-r1.ebuild
index 582d2920ae27..0d39da936bbf 100644
--- a/sys-apps/shadow/shadow-4.14.8.ebuild
+++ b/sys-apps/shadow/shadow-4.14.8-r1.ebuild
@@ -7,7 +7,7 @@ EAPI=8
# official. Don't keyword the pre-releases!
# Check https://github.com/shadow-maint/shadow/releases.
-inherit libtool pam verify-sig
+inherit libtool pam user-info verify-sig
DESCRIPTION="Utilities to deal with user accounts"
HOMEPAGE="https://github.com/shadow-maint/shadow"
@@ -46,10 +46,12 @@ DEPEND="
"
RDEPEND="
${COMMON_DEPEND}
+ acct-group/shadow
pam? ( >=sys-auth/pambase-20150213 )
su? ( !sys-apps/util-linux[su(-)] )
"
BDEPEND="
+ acct-group/shadow
app-arch/xz-utils
sys-devel/gettext
"
@@ -124,6 +126,9 @@ set_login_opt() {
src_install() {
emake DESTDIR="${D}" suidperms=4755 install
+ fowners :shadow /usr/bin/{chage,expiry}
+ fperms u-s,g+s /usr/bin/{chage,expiry}
+
# 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
emake DESTDIR="${D}" -C man install
@@ -252,10 +257,25 @@ pkg_postinst() {
ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors."
fi
+ local gid=$(egetent group shadow | cut -d: -f3)
+
+ if [[ -n ${ROOT} ]]; then
+ # Portage does not currently update the gid on installed files
+ # based on ${EROOT}/etc/group.
+ if [[ -n ${gid} ]]; then
+ chgrp "${gid}" "${EROOT}"/usr/bin/{chage,expiry} &&
+ chmod g+s "${EROOT}"/usr/bin/{chage,expiry}
+ fi
+ fi
+
# Enable shadow groups.
if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then
if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then
grpconv -R "${EROOT:-/}"
+ if [[ -n ${gid} ]]; then
+ chgrp "${gid}" "${EROOT}"/etc/gshadow &&
+ chmod g+r "${EROOT}"/etc/gshadow
+ fi
else
ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
ewarn "run 'grpconv' afterwards!"
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-03 17:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-03 17:07 [gentoo-dev] [PATCH 0/4] Add shadow group with read access to /etc/[g]shadow Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 1/4] acct-group/shadow: new package, add 0 Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 2/4] sys-libs/pam: wire up shadow group Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 3/4] sys-apps/shadow: install suid binaries as 4755 Mike Gilbert
2025-10-03 17:07 ` [gentoo-dev] [PATCH 4/4] sys-apps/shadow: wire up shadow group Mike Gilbert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox