The password-changing helper functionality for SELinux systems has been

split out into a separate unix_update binary, so at long last we can
change unix_chkpwd to be sgid shadow instead of suid root.
Closes: #155583.

2 files changed, 6 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index c9e8f397..7678c615 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,10 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low
     pam_rhosts_auth introduced upstream in 0.99.9.0: we want to cast the
     result of inet_addr to int32_t, not the result of a boolean *comparison*
     on inet_addr's result...
+  * The password-changing helper functionality for SELinux systems has been
+    split out into a separate unix_update binary, so at long last we can
+    change unix_chkpwd to be sgid shadow instead of suid root.
+    Closes: #155583.
   * Use a pristine upstream tarball instead of repacking; requires various
     changes to debian/rules and debhelper files.
   * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn,
diff --git a/debian/rules b/debian/rules
index 89bff84f..ad9ccc9b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -137,7 +137,8 @@ binary-arch: install
 	dh_strip -a
 	dh_compress -a
 	dh_fixperms -a
-	chmod 04755 $(d)/libpam-modules/sbin/unix_chkpwd
+	chmod 02755 $(d)/libpam-modules/sbin/unix_chkpwd
+	chgrp shadow $(d)/libpam-modules/sbin/unix_chkpwd
 	dh_makeshlibs -plibpam0g -V "libpam0g (>= 0.99.7.1)"
 	dh_installdeb -a
 	dh_shlibdeps -a -L libpam0g -l$(CURDIR)/debian/libpam0g/lib