Review Request 127341: Change the way SUID bits are managed

David Edmundson david at davidedmundson.co.uk
Sun Mar 13 01:50:47 UTC 2016


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/127341/#review93465
-----------------------------------------------------------


Ship it!




>The `kcheckpass` binary only needs the SUID bit set when building
without PAM. If PAM is available, then there's no point in having a SUID
bit set in the first place. This is also how, e.g., Gentoo builds this
code anyway.

That reasoning isn't entirely true. 

Now pam_unix includes a suid binary /usr/bin/unix_chkpwd which is doing what this is doing. Older versions (10 years ago) didn't, so at the time we needed this for PAM.

However, you're right we don't now.

- David Edmundson


On March 11, 2016, 2:46 p.m., Jan Kundrát wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/127341/
> -----------------------------------------------------------
> 
> (Updated March 11, 2016, 2:46 p.m.)
> 
> 
> Review request for Plasma.
> 
> 
> Repository: kscreenlocker
> 
> 
> Description
> -------
> 
> The `kcheckpass` binary only needs the SUID bit set when building
> without PAM. If PAM is available, then there's no point in having a SUID
> bit set in the first place. This is also how, e.g., Gentoo builds this
> code anyway.
> 
> Also change the way how the SUID bits are managed. Turnes out that cmake
> has a feature for this, and I think that using this feature is better
> than attempting to call chown & chmod manually.
> 
> I don't see a potential for regressions here. The `chown` was previously
> attempted as a poor man's UID detection, so if the build was running as
> non-root, it wasn't possible to add a proper SUID bit, anyway.
> 
> 
> Diffs
> -----
> 
>   kcheckpass/CMakeLists.txt c7803c96f62c38edf2016c9160b66213dad89949 
> 
> Diff: https://git.reviewboard.kde.org/r/127341/diff/
> 
> 
> Testing
> -------
> 
> Builds both ways, and the results are as expected. With PAM, everything also works even without the suid bit -- and that's how Gentoo at least has been building this "for ages", AFAIK.
> 
> 
> Thanks,
> 
> Jan Kundrát
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20160313/71ead309/attachment.html>


More information about the Plasma-devel mailing list