Bug ID 926267
Summary Allow kcheckpass to be SUID
Classification openSUSE
Product openSUSE Factory
Version 201503*
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter hrvoje.senjan@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

In KF5/Plasma 5 world the kcheckpass binary has moved, and is now in
%_libdir/libexec/kcheckpass. Sources can be found in
plasma-workspace.git/ksmserver/screenlocker/kcheckpass/ (srcpkg is
plasma5-workspace).


Kcheckpass itself does *not* need to be SUID, if the correct pam config module
is in place (pam_unix.so). This however does not work for upgraders from some
earlier openSUSE releases, as the have pam_unix2.so instead (apparently noone
checks the rpmnew files).

For these users we either need to make the binary SUID, or change pam not to
use %config(noreplace) for /etc/pam.d/ stuff.

If this doesn't get a whitelist, i'll try to see with pam people why they don't
use plain %config

You are receiving this mail because: