login.defs: disable default subid assignment.

Resolves: RHEL-103765 and CVE-2024-56433
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

shadow-utils.login.defs

@@ -149,7 +149,7 @@ SYS_UID_MAX               999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
+SUB_UID_COUNT			0
 
 #
 # Min/max values for automatic gid selection in groupadd(8)
@@ -162,7 +162,7 @@ SYS_GID_MAX               999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
+SUB_GID_COUNT			0
 
 #
 # Max number of login(1) retries if password is bad

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 13%{?dist}
+Release: 14%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
@@ -353,6 +353,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Jul 21 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-14
+- login.defs: disable default subid assignment.
+  Resolves: RHEL-103765 and CVE-2024-56433
+
 * Mon May 26 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-13
 - nss.c: shadow_logfd to stderr. Resolves: RHEL-83431
 - vipw: restore the original terminal pgrp after editing. Resolves: RHEL-70844 and RHEL-72940