Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected
Here's a sad story: *70971457
is merged into shadow, allowing newgidmap/newuidmap to be installed with file caps rather than setuid. * https://bugs.archlinux.org/task/63248 is filed to take advantage of this. * The arch maintainer of the 'shadow' package notices that this doesn't work, and submits a pull request to fix this in shadow. *edf7547ad5
is merged, fixing the post install hooks. The problem here is that distros have been building shadow with PAM for O(years), but the install hooks have silently failed due to the combination of the directory mismatch (suidubins vs suidsbins) and later success with setuid'ing newgidmap/newuidmap. With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) who never built shadow explicitly with --enable-account-tools-setuid are now getting setuid account tools, and don't have PAM configuration suitable for use with setuid account management tools. It's entirely unclear to me why you'd want this, but I assume there's some reason out there for it existing. Regardless, setuid binaries are dangerous and shouldn't be enabled by default without good reason. [1] https://bugs.archlinux.org/task/64836 [2] https://bugs.gentoo.org/702252
This commit is contained in:
parent
eaaac67d4f
commit
66b7bc0dcf
@ -226,7 +226,7 @@ AC_ARG_ENABLE(account-tools-setuid,
|
|||||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
|
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
|
||||||
;;
|
;;
|
||||||
esac],
|
esac],
|
||||||
[enable_acct_tools_setuid="maybe"]
|
[enable_acct_tools_setuid="no"]
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_ARG_ENABLE(utmpx,
|
AC_ARG_ENABLE(utmpx,
|
||||||
|
Loading…
Reference in New Issue
Block a user