Debian Bug report logs - #298060
Please don't install login as setuid root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Please don't install login as setuid root

Date: Fri, 4 Mar 2005 12:39:11 +0100

[Message part 1 (text/plain, inline)]

Package: login
Version: 1:4.0.3-30.9
Severity: wishlist
Tags: patch

Hi!

/bin/login is currently installed setuid root, which is absolutely not
necessary and only a potential security threat. In Ubuntu we install
it as 0755 for ages now without any problems.

Trivial patch, but for the record:

  http://patches.ubuntu.com/patches/shadow.login-nosuid.diff

Please consider making this change for Debian, too.

Thanks,

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: team@security.debian.org, debian-release@lists.debian.org

Cc: 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: (forw) Bug#298060: Please don't install login as setuid root

Date: Sat, 5 Mar 2005 15:34:58 +0100

Security and release teams, may I have your advice about this suggestion?

As you may know, I currently act as maintainer for the shadow package,
but I'm also aware of my own weaknesses when it comes at security (and
security-related) issues so I prefer getting the advice of more
competent people.

Given that installing login non setuid has been blessed for Ubuntu,
I'm inclined to follow the suggestion, but doing so close to a release
is maybe not wise.....so I'm seeking for advices..:-)



----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

Subject: Bug#298060: Please don't install login as setuid root
Reply-To: Martin Pitt <mpitt@debian.org>, 298060@bugs.debian.org
Date: Fri, 4 Mar 2005 12:39:11 +0100
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>

Package: login
Version: 1:4.0.3-30.9
Severity: wishlist
Tags: patch

Hi!

/bin/login is currently installed setuid root, which is absolutely not
necessary and only a potential security threat. In Ubuntu we install
it as 0755 for ages now without any problems.

Trivial patch, but for the record:

  http://patches.ubuntu.com/patches/shadow.login-nosuid.diff

Please consider making this change for Debian, too.

Thanks,

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org



----- End forwarded message -----

-- 

Message #18 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Christian Perrier <bubulle@debian.org>

Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sat, 5 Mar 2005 19:40:24 +0000

On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?
> 
> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.
> 
> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

  I see no reason not to follow the suggestion, for what that opinion
 is worth ..

Steve
--

Message #26 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Christian Perrier <bubulle@debian.org>

Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sat, 5 Mar 2005 22:56:45 -0800

On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:

> Security and release teams, may I have your advice about this suggestion?
> 
> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.
> 
> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

FWIW, We've been doing this for some time in Ubuntu, and no one has missed
it.  In this age of pseudoterminals and single-user systems...

-- 
 - mdz

Message #34 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@master.debian.org>

To: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 05:10:59 -0600

On Sat, Mar 05, 2005 at 10:56:45PM -0800, Matt Zimmerman wrote:
> On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> 
> > Security and release teams, may I have your advice about this suggestion?
> > 
> > As you may know, I currently act as maintainer for the shadow package,
> > but I'm also aware of my own weaknesses when it comes at security (and
> > security-related) issues so I prefer getting the advice of more
> > competent people.
> > 
> > Given that installing login non setuid has been blessed for Ubuntu,
> > I'm inclined to follow the suggestion, but doing so close to a release
> > is maybe not wise.....so I'm seeking for advices..:-)
> 
> FWIW, We've been doing this for some time in Ubuntu, and no one has missed
> it.  In this age of pseudoterminals and single-user systems...

Because that is the targeted users of Ubuntu. Debian as a much wider range
of use than single-user systems. 

Is there a real security benefit ? Is the login implementation in Debian
known to have security flaws ?

The bug report is not completly accurate: it is necessary for login to be
suid root if you want to use it the way mentionned in the manpage:

       Typically,  login  is  treated  by the shell as exec login
       which causes the user to  exit  from  the  current  shell.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Message #42 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Bill Allombert <ballombe@master.debian.org>

Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 09:06:41 -0800

On Sun, Mar 06, 2005 at 05:10:59AM -0600, Bill Allombert wrote:

> On Sat, Mar 05, 2005 at 10:56:45PM -0800, Matt Zimmerman wrote:
> > FWIW, We've been doing this for some time in Ubuntu, and no one has
> > missed it.  In this age of pseudoterminals and single-user systems...
> 
> Because that is the targeted users of Ubuntu.

If someone told you that, they were misinformed.

> Is there a real security benefit ? Is the login implementation in Debian
> known to have security flaws ?

Those two questions are orthogonal, but the answer to the first is "yes".
Removing privilege this way is one of the few ways to provide a guarantee of
security: it would become impossible for any bug (discovered or
undiscovered) in login to result in a root compromise, except where it is
explicitly given root privileges (which I believe is only true on the
console per default).

> The bug report is not completly accurate: it is necessary for login to be
> suid root if you want to use it the way mentionned in the manpage:
> 
>        Typically,  login  is  treated  by the shell as exec login
>        which causes the user to  exit  from  the  current  shell.

There are a dozen ways to obtain the same result, without this setuid
program.

It makes little difference to me in practice whether this change is made or
not, but I do consider it appropriate and reasonable.

(what does this have to do with debian-release?)

-- 
 - mdz

Message #50 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Bill Allombert <ballombe@master.debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 19:40:40 +0100

> (what does this have to do with debian-release?)

Because I was wondering whether such change would be appropriate to
have in sarge and I wanted to get the wise advice of our release
managers...:)


-- 

Message #58 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Christian Perrier <bubulle@debian.org>

Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 14:53:35 -0800

[Message part 1 (text/plain, inline)]

On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?

> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.

> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

Even when this feature was novel to me, I never found it useful.  I wouldn't
miss it, and obviously the security folks wouldn't; perhaps other people
may, so it's probably reasonable to let such a change age in unstable for a
bit to give them a chance to object and explain why this is actually useful
(since no one else can think of a reason).

-- 
Steve Langasek
postmodern programmer

> ----- Forwarded message from Martin Pitt <mpitt@debian.org> -----
> 
> Subject: Bug#298060: Please don't install login as setuid root
> Reply-To: Martin Pitt <mpitt@debian.org>, 298060@bugs.debian.org
> Date: Fri, 4 Mar 2005 12:39:11 +0100
> From: Martin Pitt <mpitt@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> 
> Package: login
> Version: 1:4.0.3-30.9
> Severity: wishlist
> Tags: patch
> 
> Hi!
> 
> /bin/login is currently installed setuid root, which is absolutely not
> necessary and only a potential security threat. In Ubuntu we install
> it as 0755 for ages now without any problems.
> 
> Trivial patch, but for the record:
> 
>   http://patches.ubuntu.com/patches/shadow.login-nosuid.diff
> 
> Please consider making this change for Debian, too.
> 
> Thanks,
> 
> Martin
> 
> -- 
> Martin Pitt                       http://www.piware.de
> Ubuntu Developer            http://www.ubuntulinux.org
> Debian GNU/Linux Developer       http://www.debian.org
> 
> 
> 
> ----- End forwarded message -----
> 
> -- 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-release-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 16:34:32 -0800

[Message part 1 (text/plain, inline)]

Has anyone looked at shadow's existing changelog?

  * /bin/login is suid root for several good reasons. For one, it allows
    daemons that use it to run as non-root. This is a good thing since it
    means only one program is running as root, and not several. closes: #17911

 -- Ben Collins <bcollins@debian.org>  Sun, 31 Dec 2000 14:33:47 -0500

-- 
see shy jo (hurrah for changelog abuse!)

[signature.asc (application/pgp-signature, inline)]

Message #74 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 17:24:06 -0800

On Sun, Mar 06, 2005 at 04:34:32PM -0800, Joey Hess wrote:

> Has anyone looked at shadow's existing changelog?
> 
>   * /bin/login is suid root for several good reasons. For one, it allows
>     daemons that use it to run as non-root. This is a good thing since it
>     means only one program is running as root, and not several. closes: #17911
> 
>  -- Ben Collins <bcollins@debian.org>  Sun, 31 Dec 2000 14:33:47 -0500

Is there anything which does this other than telnetd?

I'm more than willing to consider telnetd a legacy, insecure-by-design
component for which it is justified to require a non-default configuration.

-- 
 - mdz

Message #82 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 298060@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Sun, 6 Mar 2005 22:19:08 -0800

[Message part 1 (text/plain, inline)]

Matt Zimmerman wrote:
> I'm more than willing to consider telnetd a legacy, insecure-by-design
> component for which it is justified to require a non-default configuration.

<shrug>, my multiple uses of telnetd are all secure. :-P

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #87 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root

Date: Mon, 7 Mar 2005 07:18:33 +0100

Quoting Joey Hess (joeyh@debian.org):
> Has anyone looked at shadow's existing changelog?

Honestly, no..:-)

> see shy jo (hurrah for changelog abuse!)

Yep. Sometimes this helps especially for packages where Debian
specific changes are noticeable.

Well, about this issue, I think I'll delay this to post-sarge, for the
day we (the shadow maintenance team which is currently very quiet) we
dill with the huge bug log of this package.

To all people who bringed their advices about this issue : thank you
very much. Feel free to continue giving input, especially after Matt's
comments. The more input we have, the best decision we will make
(maybe with the help of the Technical Comittee if this happens to be
too controversial).

-- 

Message #95 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Joey Hess <joeyh@debian.org>, 298060@bugs.debian.org

Subject: Re: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root

Date: Mon, 7 Mar 2005 08:19:43 -0800

On Sun, Mar 06, 2005 at 10:19:08PM -0800, Joey Hess wrote:

> Matt Zimmerman wrote:
> > I'm more than willing to consider telnetd a legacy, insecure-by-design
> > component for which it is justified to require a non-default configuration.
> 
> <shrug>, my multiple uses of telnetd are all secure. :-P

I just noticed that telnetd contains its own setuid login program,
executable only by group telnetd, so not even telnetd needs a suid
/bin/login.

-- 
 - mdz

Message #100 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Christian Perrier <bubulle@debian.org>

Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Mon, 7 Mar 2005 19:18:16 +0100

Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?
> 
> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.
> 
> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

When no code needs to be changed but only the suid bit dropped
and login still works as expected, I don't see a reason not to
drop the setuid bit, even the contrary, I wonder why it is setuid
root in the first place.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.

Message #108 received at 298060-quiet@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 298060-quiet@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Cc: 298060-submitter@bugs.debian.org

Subject: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root

Date: Tue, 8 Mar 2005 08:02:45 +0100

debian-release@lists.debian.org
Cc:	298060-submitter@bugs.debian.org
Bcc: 
Subject: Re: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root
Reply-To: 
In-Reply-To: <20050307181816.GW5330@finlandia.infodrom.north.de>
X-message-flag: Outlook is a good virus spreading tool. It can send mail, too.
X-pot_a_miel: honeypot@kheops.frmug.org

Quoting Martin Schulze (joey@infodrom.org):

> When no code needs to be changed but only the suid bit dropped
> and login still works as expected, I don't see a reason not to
> drop the setuid bit, even the contrary, I wonder why it is setuid
> root in the first place.


Well, should I take this as the official Security Team advice ?

If so, the conclusion would be : the Security Team is OK for the
change while the Release Team is not really pushing it...which would
then draw the conclusion for me : delay the change as the priority now
is to release.

I could for sure upload something changed to experimental. But, well,
I simply don't feel I have the resources for handling two branches for
shadow at this moment.

Message #116 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Mon, 7 Mar 2005 23:18:39 -0800

[Message part 1 (text/plain, inline)]

On Sun, Mar 06, 2005 at 05:24:06PM -0800, Matt Zimmerman wrote:
> On Sun, Mar 06, 2005 at 04:34:32PM -0800, Joey Hess wrote:

> > Has anyone looked at shadow's existing changelog?

> >   * /bin/login is suid root for several good reasons. For one, it allows
> >     daemons that use it to run as non-root. This is a good thing since it
> >     means only one program is running as root, and not several. closes: #17911

> >  -- Ben Collins <bcollins@debian.org>  Sun, 31 Dec 2000 14:33:47 -0500

> Is there anything which does this other than telnetd?

Not afaik.  Even Kerberized telnetd doesn't need it (except for backwards
compatibility).

> I'm more than willing to consider telnetd a legacy, insecure-by-design
> component for which it is justified to require a non-default configuration.

Sounds fine to me.

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #124 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Wouter Verhelst <wouter@grep.be>

To: Matt Zimmerman <mdz@debian.org>

Cc: Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org, debian-hurd@lists.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Tue, 08 Mar 2005 17:03:11 +0100

Op za, 05-03-2005 te 22:56 -0800, schreef Matt Zimmerman:
> On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> 
> > Security and release teams, may I have your advice about this suggestion?
> > 
> > As you may know, I currently act as maintainer for the shadow package,
> > but I'm also aware of my own weaknesses when it comes at security (and
> > security-related) issues so I prefer getting the advice of more
> > competent people.
> > 
> > Given that installing login non setuid has been blessed for Ubuntu,
> > I'm inclined to follow the suggestion, but doing so close to a release
> > is maybe not wise.....so I'm seeking for advices..:-)
> 
> FWIW, We've been doing this for some time in Ubuntu, and no one has missed
> it.  In this age of pseudoterminals and single-user systems...

On Linux.

I'm not exactly sure about this, but I think it might break the way the
Hurd does a login. On The Hurd, you don't get a login prompt; rather,
you get a login /shell/ which allows you to do some things without
having been logged on; loggin in then requires you to do 'login <user>'.
It /might/ be the case that this requires /bin/login to be setuid root,
but I'm not sure. Hurd developers (Cc'ed), care to shed some light here?

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune

Message #132 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Samuel Thibault <samuel.thibault@labri.fr>

To: Wouter Verhelst <wouter@grep.be>

Cc: Matt Zimmerman <mdz@debian.org>, Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org, debian-hurd@lists.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Tue, 8 Mar 2005 17:43:39 +0100

Wouter Verhelst, le mar 08 mar 2005 17:03:11 +0100, a dit :
> Op za, 05-03-2005 te 22:56 -0800, schreef Matt Zimmerman:
> > On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> > 
> > > Security and release teams, may I have your advice about this suggestion?
> > > 
> > > As you may know, I currently act as maintainer for the shadow package,
> > > but I'm also aware of my own weaknesses when it comes at security (and
> > > security-related) issues so I prefer getting the advice of more
> > > competent people.
> > > 
> > > Given that installing login non setuid has been blessed for Ubuntu,
> > > I'm inclined to follow the suggestion, but doing so close to a release
> > > is maybe not wise.....so I'm seeking for advices..:-)
> > 
> > FWIW, We've been doing this for some time in Ubuntu, and no one has missed
> > it.  In this age of pseudoterminals and single-user systems...
> 
> On Linux.
> 
> I'm not exactly sure about this, but I think it might break the way the
> Hurd does a login. On The Hurd, you don't get a login prompt; rather,
> you get a login /shell/ which allows you to do some things without
> having been logged on; loggin in then requires you to do 'login <user>'.
> It /might/ be the case that this requires /bin/login to be setuid root,
> but I'm not sure. Hurd developers (Cc'ed), care to shed some light here?

It does even *less* need to be setuid root: login way be run without
*any* identity: it gets uid from the passwd server in exchange of the
correct password for the uid. No need to be root for that.

Regards,
Samuel Thibault

Message #140 received at 298060@bugs.debian.org (full text, mbox, reply):

From: Michael Banck <mbanck@debian.org>

To: debian-release@lists.debian.org, 298060@bugs.debian.org, debian-hurd@lists.debian.org

Subject: Re: (forw) Bug#298060: Please don't install login as setuid root

Date: Tue, 8 Mar 2005 19:22:20 +0100

On Tue, Mar 08, 2005 at 05:03:11PM +0100, Wouter Verhelst wrote:
> Op za, 05-03-2005 te 22:56 -0800, schreef Matt Zimmerman:
> > On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> > 
> > > Security and release teams, may I have your advice about this suggestion?
> > > 
> > > As you may know, I currently act as maintainer for the shadow package,
> > > but I'm also aware of my own weaknesses when it comes at security (and
> > > security-related) issues so I prefer getting the advice of more
> > > competent people.
> > > 
> > > Given that installing login non setuid has been blessed for Ubuntu,
> > > I'm inclined to follow the suggestion, but doing so close to a release
> > > is maybe not wise.....so I'm seeking for advices..:-)
> > 
> > FWIW, We've been doing this for some time in Ubuntu, and no one has missed
> > it.  In this age of pseudoterminals and single-user systems...
> 
> On Linux.
> 
> I'm not exactly sure about this, but I think it might break the way the
> Hurd does a login. 

The hurd package currently ships its own /bin/login and
Provides/Replaces/Conflicts with the login package.

As to why that is suid as well, Roland McGrath once said[0]:

login   -- Falls back to unix-style if password server is not there.
           If we can presume the password server works, then we can
	   clear the setuid bit here.  (We could also remove the old
	   code, or leave it there for only root to be able to use w/o
	   server.)


I guess this is a good opportunity to review our suid login as well.


cheers,

Michael

-- 
[0] http://lists.gnu.org/archive/html/bug-hurd/2002-06/msg00130.html

Message #153 received at 298060-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 298060-close@bugs.debian.org

Subject: Bug#298060: fixed in shadow 1:4.0.3-36

Date: Tue, 05 Jul 2005 16:02:32 -0400

Source: shadow
Source-Version: 1:4.0.3-36

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-36_i386.deb
  to pool/main/s/shadow/login_4.0.3-36_i386.deb
passwd_4.0.3-36_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-36_i386.deb
shadow_4.0.3-36.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-36.diff.gz
shadow_4.0.3-36.dsc
  to pool/main/s/shadow/shadow_4.0.3-36.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Jun 2005 23:37:56 +0300
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-36
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 75181 78961 87301 109279 192849 219321 244754 245332 248150 256732 261490 266281 269583 276419 286258 286616 287410 288106 288827 290842 298060 298773 304350 309408 312428 312429 312430 312431 312471 314303 314407 314423 314539 314727 315362 315372 315375 315378 315391 315407 315426 315429 315434 315483 315567 315727 315767 315783 315809 315812 315840 315972 316026
Changes: 
 shadow (1:4.0.3-36) unstable; urgency=low
 .
   * Debian specific programs fixes:
     - Re-enable logging and displaying failures on login when login is
       compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
       faillog file if it does not exist on postinst (as on Woody).
       Closes: #192849
     - do not localize login's syslog messages.
   * Debian packaging fixes:
     - Fix FTBFS with new dpkg 1.13 and use a correct dpkg-architecture
       invocation. Closes: #314407
     - Add a comment about potential sensitive information exposure
       when LOG_UNKFAIL_ENAB is set in login.defs
       Closes: #298773
     - Remove limits.5 and limits.conf.5 man pages which do not
       reflect the way we deal with limits in Debian
       Closes: #288106, #244754
     - debian/login.defs:
       - Make SU_PATH and PATH consistent with the values used in /etc/profile
         Closes: #286616
       - Comment the UMASK setting which is more confusing than useful
         as it only affects console logins. Better use pam_umask instead
         Closes: #314539, #248150
       - Add a comment about "appropriate" values for umask
         Closes: #269583
       - Correct the assertion about the variable defined by QMAIL_DIR
         which is MAILDIR, not MAIL
         Closes: #109279
       - Move the PASS_MAX_LEN variable at the end of login.defs as this
         is obsoleted when using PAM
         Closes: #87301
     - debian/passwd.config:
       - Re-enable the password confirmation question at critical priority
         Closes: #304350
       - Do no prompt again for the login name when the two passwords don't
         match while creating a new user
         Closes: #245332
     - debian/add-shell.sh, debian/remove-shell.sh, debian/shadowconfig.sh,
       debian/passwd.config, debian/passwd.postinst:
       - checked for bashisms, replaced "#!/bin/bash" with "#!/bin/sh",
         Closes: #315767
       - replaced "test XXX -a YYY" XSI:isms with "test XXX && test YYY",
         for rationale see:
         http://www.opengroup.org/onlinepubs/009695399/utilities/test.html
       - replaced all unneeded "egrep"s with basic "grep"s
         Closes: #256732
     - debian/rules:
       Remove the setuid bit on login
       Closes: #298060
     - debian/passwd.templates:
       Templates rewrite to shorten them down a little and make them DTSG
       compliant. Give more details about what the user's full name is used
       for.
       Closes: #287410
     - Updated to Standards: 3.6.2 (checked)
   * Debconf translation updates:
     - Estonian added. Closes: #312471
     - Basque updated. Closes: #314303
     - Malagasy updated. Closes: #290842
     - Punjabi updated. Closes: #315372
     - Danish updated. Closes: #315378
     - Polish updated. Closes: #315391
     - Japanese updated. Closes: #315407
     - Brazilian Portuguese updated. Closes: #315426
     - Czech updated. Closes: #315429
     - Spanish updated. Closes: #315434
     - Lithuanian updated. Closes: #315483
     - Galician updated. Closes: #315362
     - Portuguese updated. Closes: #315375
     - Simplified Chinese updated. Closes: #315567
     - French updated
     - Ukrainian updated. Closes: #315727
     - Welsh updated. Closes: #315809
     - Slovak updated. Closes: #315812
     - Romanian updated. Closes: #315783
     - Finnish updated. Closes: #315972
     - Catalan updated. Closes: #316026
   * Man pages translation updates:
     - Remove the too outdated Korean translation of newgrp.1
       which doesn't even mention sg
       Closes: #261490
   * Man pages correction for Debian specific issues:
     - 402_usermod.8-system-users-range-286258:
       Document the system user range from 0 to 999 in Debian
       Closes: #286258
   * Upstream bugs not fixed in upstream releases or CVS:
     - 423_su_pass_args_without_concatenation
       Thanks to Helmut Waitzmann.
       Closes: #276419
       * pass the argument to the shell or command without concatenation
         before the call to exec.
       * If no command is provided, the arguments after the username are for
         the shell, no -c has to be appended.
     - 008_su_ignore_SIGINT
       * Also ignore SIGQUIT in su to avoid defeating the delay.
         The gain in security is very minor.
         Closes: #288827
     - 424_pwck.8_quiet_option
       pwck(8): document the -q option. Closes: #309408
     - 425_lastlog_8_sparse
       lastlog(8): Document that lastlog is a sparse file, and don't need to be
       rotated. Closes: #219321
     - 426_grpck_group-gshadow_members_consistency
       * (grpck) warn for inconsistencies between members in /etc/group and gshadow
         Closes: #75181
       * (pwck and grpck) warn and propose a fix for entries present in the
         regular /etc/group or /etc/passwd files and not in shadow/gshadow.
     - 427_chage_expiry_0
       Fix chage display in the case of null expiry fields (do not display
       Never, but 01 Jan 1970)
       Closes: #78961
   * Upstream bugs already fixed in upstream releases or CVS:
     - Corrected typos in chfn.1. Closes: #312428
     - Corrected typos in gshadow.5. Closes: #312429
     - Corrected typos in shadow.5. Closes: #312430
     - Corrected typos in grpck.8. Closes: #312431
     - Added patch (356th) for su to propagate SIGSTOP up and SIGCONT down.
       Added similar patch (357th) for newgrp. Both changes only affect
       operation with CLOSE_SESSION set to yes (in /etc/login.defs).
       Closes: #314727
   * Translation updates:
     - debian/patches/010_more-i18ned-messages
       - More messages are translatable. We will deal with the translation
         updates after syncing with upstream.
         Closes: #266281
     - debian/patches/114_eu:
       - Basque translation update. Closes: #314423
     - debian/patches/132_vi.dpatch:
       - Vietnamese translation update. Closes: #315840
Files: 
 2b951dfb5a5258b06dbf4cc9c1c10a9b 843 base required shadow_4.0.3-36.dsc
 c282dd24f1a680566120ef684f5c0386 1405333 base required shadow_4.0.3-36.diff.gz
 c3e579b2641ed0587fa4d8a2fb00e56c 504416 base required passwd_4.0.3-36_i386.deb
 9608524e0d057f7cbe832b35bde32f2e 590616 base required login_4.0.3-36_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCyuJO1OXtrMAUPS0RAh8zAKCdD/46/ukzdT+o7jJwPZYJ/ZnP2QCeImF4
ZIx948C5htLynLJrbekYXn4=
=Mslh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.