http://bugzilla.suse.com/show_bug.cgi?id=1162950 Bug ID: 1162950 Summary: AUDIT-1: pam: mode of /sbin/unix*_chkpwd Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: josef.moellers@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: jsegitz@suse.com, malte.kraus@suse.com, security-team@suse.de Found By: --- Blocker: --- In the proactive security we noticed that /sbin/unix_chkpwd and /sbin/unix2_chkpwd are installed setuid-root per our long standing entries in our permissions package configuration. The following mode and ownership are set: -rwsr-xr-x 1 root shadow 15K 6. Nov 14:41 /sbin/unix2_chkpwd -rwsr-xr-x 1 root shadow 27K 6. Nov 14:41 /sbin/unix_chkpwd The programs are installed with privileges to allow them to check against password hashes in /etc/shadow. /etc/shadow is actually owned by the shadow group: -rw-r----- 1 root shadow 1.1K 26. Jul 2019 /etc/shadow So the question we have is why unix*_chkpwd aren't installed setgid-shadow instead of setuid-root? It looks like this would be sufficient. The current setting with unix_chkpwd being owned by the shadow group but also have the setuid-root bit doesn't make sense in any case. I you can confirm that installing them setgid-shadow is sufficient then we can adjust the permissions configuration accordingly. Thank you. -- You are receiving this mail because: You are on the CC list for the bug.