From a0156ce75657c02894df76269fe06819ee3af0c8 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Sat, 22 Aug 2020 17:07:26 +0200 Subject: [PATCH] sys-libs/pam: Make /sbin/unix_chkpwd suid This is to avoid importing fcaps eclass which adds a dependency on sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of this conundrum, we could specify a "-filecaps" use flag for sys-libs/pam. Problem with this solution would be no capability override for the binary making it unable to read /etc/shadow. Thus we make the binary suid. This is strictly less secure than overriding its capabilities, but I have no idea how to solve it in a less hacky way. --- .../coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild index 1ffa235a55..09f245e23f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild @@ -9,7 +9,7 @@ EAPI=7 MY_P="Linux-${PN^^}-${PV}" -inherit autotools db-use fcaps toolchain-funcs multilib-minimal +inherit autotools db-use toolchain-funcs multilib-minimal DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" HOMEPAGE="https://github.com/linux-pam/linux-pam" @@ -100,6 +100,12 @@ multilib_src_install() { multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die + # Flatcar: The pam_unix module needs to check the password of + # the user which requires read access to /etc/shadow + # only. Make it suid instead of using CAP_DAC_OVERRIDE to + # avoid a pam -> libcap -> pam dependency loop. + fperms 4711 /sbin/unix_chkpwd + # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop @@ -132,8 +138,4 @@ pkg_postinst() { ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." - - # The pam_unix module needs to check the password of the user which requires - # read access to /etc/shadow only. - fcaps cap_dac_override sbin/unix_chkpwd }