Use debputy to avoid Rules-Requires-Root: binary-targets

debian/control

@@ -8,6 +8,7 @@ Priority: required
 Build-Depends:
  bison,
  debhelper-compat (= 13),
+ dh-sequence-zz-debputy-rrr (>= 0.1.23~),
  docbook-xml <!nodoc>,
  docbook-xsl <!nodoc>,
  gettext,
@@ -24,15 +25,13 @@ Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
 Vcs-Browser: https://salsa.debian.org/debian/shadow
 Homepage: https://github.com/shadow-maint/shadow
-Rules-Requires-Root: binary-targets
+Rules-Requires-Root: no
 
 Package: passwd
 Architecture: any
 Multi-Arch: foreign
 Depends:
- libpam-modules,
- ${misc:Depends},
- ${shlibs:Depends}
+ libpam-modules
 Recommends:
  sensible-utils
 Description: change and administer password and group data
@@ -47,9 +46,7 @@ Multi-Arch: foreign
 Essential: yes
 Pre-Depends:
  libpam-modules,
- libpam-runtime,
- ${misc:Depends},
- ${shlibs:Depends}
+ libpam-runtime
 Breaks:
  hurd (<< 20140206~) [hurd-any]
 Conflicts:
@@ -66,9 +63,6 @@ Package: uidmap
 Architecture: any
 Multi-Arch: foreign
 Priority: optional
-Depends:
- ${misc:Depends},
- ${shlibs:Depends}
 Description: programs to help use subuids
  These programs help unprivileged users to create uid and gid mappings in
  user namespaces.
@@ -78,11 +72,6 @@ Section: libs
 Priority: optional
 Architecture: any
 Multi-Arch: same
-Pre-Depends:
- ${misc:Pre-Depends}
-Depends:
- ${misc:Depends},
- ${shlibs:Depends}
 Description: subordinate id handling library -- shared library
  The library provides an interface for querying, granding and ungranting
  subordinate user and group ids.
@@ -93,8 +82,7 @@ Priority: optional
 Architecture: any
 Multi-Arch: same
 Depends:
- libsubid4 (= ${binary:Version}),
- ${misc:Depends}
+ libsubid4 (= ${binary:Version})
 Description: subordinate id handling library -- shared library
  The library provides an interface for querying, granding and ungranting
  subordinate user and group ids.

debian/debputy.manifest

@@ -0,0 +1,37 @@
+manifest-version: '0.1'
+packages:
+  passwd:
+    transformations:
+    - path-metadata:
+        path: usr/bin/chfn
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/chsh
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/gpasswd
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/passwd
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/chage
+        group: "shadow"
+        mode: "u=rwx,go=rxs"
+    - path-metadata:
+        path: usr/bin/expiry
+        group: "shadow"
+        mode: "u=rwx,go=rxs"
+  login:
+    transformations:
+    - path-metadata:
+        path: usr/bin/newgrp
+        mode: "u=rwxs,go=rx"
+  uidmap:
+    transformations:
+    - path-metadata:
+        path: usr/bin/newgidmap
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/newuidmap
+        mode: "u=rwxs,go=rx"

debian/rules

@@ -55,25 +55,6 @@ override_dh_installpam:
 	dh_installpam -p passwd --name=chpasswd
 	dh_installpam -p passwd --name=newusers
 
-override_dh_builddeb-arch:
-	# uidmap
-	chmod u+s debian/uidmap/usr/bin/newuidmap
-	chmod u+s debian/uidmap/usr/bin/newgidmap
-	# login
-	# No real need for login to be setuid root
-	# chmod u+s debian/login/bin/login
-	chmod u+s debian/login/usr/bin/newgrp
-	# passwd
-	chmod u+s debian/passwd/usr/bin/chfn
-	chmod u+s debian/passwd/usr/bin/chsh
-	chmod u+s debian/passwd/usr/bin/gpasswd
-	chmod u+s debian/passwd/usr/bin/passwd
-	chgrp shadow debian/passwd/usr/bin/chage
-	chgrp shadow debian/passwd/usr/bin/expiry
-	chmod g+s debian/passwd/usr/bin/chage
-	chmod g+s debian/passwd/usr/bin/expiry
-	dh_builddeb -a
-
 override_dh_auto_clean:
 	sed -i 's/# Linux only # //' debian/login.pam
 	dh_auto_clean