login.defs: disable default subid assignment

Resolves: RHEL-104546 and CVE-2024-56433
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

shadow-utils.login.defs

@@ -148,7 +148,7 @@ SYS_UID_MAX               999
 # Extra per user uids
 SUB_UID_MIN		   524288
 SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
+SUB_UID_COUNT			0
 
 #
 # Min/max values for automatic gid selection in groupadd(8)
@@ -161,7 +161,7 @@ SYS_GID_MAX               999
 # Extra per user group ids
 SUB_GID_MIN		   524288
 SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
+SUB_GID_COUNT			0
 
 #
 # Max number of login(1) retries if password is bad

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.15.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 2
 License: BSD-3-Clause AND GPL-2.0-or-later
 URL: https://github.com/shadow-maint/shadow
@@ -282,6 +282,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Jul 21 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-7
+- login.defs: disable default subid assignment.
+  Resolves: RHEL-104546 and CVE-2024-56433
+
 * Mon May 26 2025 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-6
 - vipw: restore the original terminal pgrp after editing. Resolves: RHEL-93172