pacman -Qkk gives a warning about /usr/bin/new{u,g}idmap

07 March 2020, 06:32:32

warning: shadow: /usr/bin/newgidmap (Permissions mismatch)
warning: shadow: /usr/bin/newuidmap (Permissions mismatch)

Checking this gives the following:

Code: [Select]

$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap = cap_setuid+ep
$ getcap /usr/bin/newgidmap
/usr/bin/newgidmap = cap_setgid+ep
$ ls -l /usr/bin/newuidmap
-rwxr-xr-x 1 root root 36992 Feb  6 18:45 /usr/bin/newuidmap
$ ls -l /usr/bin/newgidmap
-rwxr-xr-x 1 root root 36992 Feb  6 18:45 /usr/bin/newgidmap

The files wear the scarlet letter, but if they were actually setuid they'd be -rws instead of -rwx. So what's the problem? Maybe this?

Code: [Select]

#shadow.install
setcaps() {
  # shadow ships these as setuid, but if we can apply file caps, use those instead.
  setcap cap_setuid+ep usr/bin/newuidmap 2>/dev/null && chmod -s usr/bin/newuidmap
  setcap cap_setgid+ep usr/bin/newgidmap 2>/dev/null && chmod -s usr/bin/newgidmap 
}

Should probably be /usr

Re: pacman -Qkk gives a warning about /usr/bin/new{u,g}idmap

Reply #1 – 07 March 2020, 22:33:36

Linux capabilities(7) works on the principle of the least privilege whereas the standard setuid/setgid method is all-or-nothing. Accordingly, as the capabilities are too many to be shown in the typical ls(1) octal way, they only show up with getcap(1), with the notable exception of setuid which dresses in scarlet like its older and mightier sibling.