Skip to main content
Topic: pacman -Qkk gives a warning about /usr/bin/new{u,g}idmap (Read 1154 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

pacman -Qkk gives a warning about /usr/bin/new{u,g}idmap

Code: [Select]
warning: shadow: /usr/bin/newgidmap (Permissions mismatch)
warning: shadow: /usr/bin/newuidmap (Permissions mismatch)
Checking this gives the following:
Code: [Select]
$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap = cap_setuid+ep
$ getcap /usr/bin/newgidmap
/usr/bin/newgidmap = cap_setgid+ep
$ ls -l /usr/bin/newuidmap
-rwxr-xr-x 1 root root 36992 Feb  6 18:45 /usr/bin/newuidmap
$ ls -l /usr/bin/newgidmap
-rwxr-xr-x 1 root root 36992 Feb  6 18:45 /usr/bin/newgidmap
The files wear the scarlet letter, but if they were actually setuid they'd be -rws instead of -rwx. So what's the problem? Maybe this?
Code: [Select]
#shadow.install
setcaps() {
  # shadow ships these as setuid, but if we can apply file caps, use those instead.
  setcap cap_setuid+ep usr/bin/newuidmap 2>/dev/null && chmod -s usr/bin/newuidmap
  setcap cap_setgid+ep usr/bin/newgidmap 2>/dev/null && chmod -s usr/bin/newgidmap
}
Should probably be /usr

Re: pacman -Qkk gives a warning about /usr/bin/new{u,g}idmap

Reply #1
Linux capabilities(7) works on the principle of the least privilege whereas the standard setuid/setgid method is all-or-nothing. Accordingly, as the capabilities are too many to be shown in the typical ls(1) octal way, they only show up with getcap(1), with the notable exception of setuid which dresses in scarlet like its older and mightier sibling.