Bug ID | 926267 |
---|---|
Summary | Allow kcheckpass to be SUID |
Classification | openSUSE |
Product | openSUSE Factory |
Version | 201503* |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | hrvoje.senjan@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
In KF5/Plasma 5 world the kcheckpass binary has moved, and is now in %_libdir/libexec/kcheckpass. Sources can be found in plasma-workspace.git/ksmserver/screenlocker/kcheckpass/ (srcpkg is plasma5-workspace). Kcheckpass itself does *not* need to be SUID, if the correct pam config module is in place (pam_unix.so). This however does not work for upgraders from some earlier openSUSE releases, as the have pam_unix2.so instead (apparently noone checks the rpmnew files). For these users we either need to make the binary SUID, or change pam not to use %config(noreplace) for /etc/pam.d/ stuff. If this doesn't get a whitelist, i'll try to see with pam people why they don't use plain %config