From 725c221b69609ca358e9f508e94fe9ce1bb56c1d Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 21 Jul 2025 11:16:10 +0200
Subject: [PATCH] login.defs: disable default subid assignment.

Resolves: RHEL-103765 and CVE-2024-56433
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 shadow-utils.login.defs | 4 ++--
 shadow-utils.spec       | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/shadow-utils.login.defs b/shadow-utils.login.defs
index 0875b63..1dd8728 100644
--- a/shadow-utils.login.defs
+++ b/shadow-utils.login.defs
@@ -149,7 +149,7 @@ SYS_UID_MAX               999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
+SUB_UID_COUNT			0
 
 #
 # Min/max values for automatic gid selection in groupadd(8)
@@ -162,7 +162,7 @@ SYS_GID_MAX               999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
+SUB_GID_COUNT			0
 
 #
 # Max number of login(1) retries if password is bad
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 5ac842a..c94343b 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 13%{?dist}
+Release: 14%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
@@ -353,6 +353,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Jul 21 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-14
+- login.defs: disable default subid assignment.
+  Resolves: RHEL-103765 and CVE-2024-56433
+
 * Mon May 26 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-13
 - nss.c: shadow_logfd to stderr. Resolves: RHEL-83431
 - vipw: restore the original terminal pgrp after editing. Resolves: RHEL-70844 and RHEL-72940