Package: libpam-modules Version: 1.5.3-7 Dear Maintainer,
As described in https://github.com/linux-pam/linux-pam/pull/373, unix_chkpwd does not need to be setuid or setgid anymore if it is given cap_dac_override via filecaps instead. I would like debian to use filecaps instead of setgid shadow for /usr/sbin/unix_chkpwd so that the file itself can be owned by root:root and the setgid bit can be removed from the file. Having all files in /usr owned by root:root is useful for image builders as it allows building debian images in a stripped down user namespace with only the root user and nothing else available. Cheers, Daan
