http://bugzilla.opensuse.org/show_bug.cgi?id=926267 Bug ID: 926267 Summary: Allow kcheckpass to be SUID Classification: openSUSE Product: openSUSE Factory Version: 201503* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: hrvoje.senjan@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In KF5/Plasma 5 world the kcheckpass binary has moved, and is now in %_libdir/libexec/kcheckpass. Sources can be found in plasma-workspace.git/ksmserver/screenlocker/kcheckpass/ (srcpkg is plasma5-workspace). Kcheckpass itself does *not* need to be SUID, if the correct pam config module is in place (pam_unix.so). This however does not work for upgraders from some earlier openSUSE releases, as the have pam_unix2.so instead (apparently noone checks the rpmnew files). For these users we either need to make the binary SUID, or change pam not to use %config(noreplace) for /etc/pam.d/ stuff. If this doesn't get a whitelist, i'll try to see with pam people why they don't use plain %config -- You are receiving this mail because: You are on the CC list for the bug.