[systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Simon McVittie
simon.mcvittie at collabora.co.uk
Tue Oct 28 09:54:29 PDT 2014
On 28/10/14 16:34, Colin Guthrie wrote:
> It seems we have different permissions for /etc/{g}shadow than fedora.
> We don't package it as 0000,root,root but rather 0440,root,shadow.
Who is "we"? Mageia? FYI, Debian uses 0640 root:shadow for the same files.
> We can then run some tools that need direct access as setgid rather than
> full blown setuid. I'm not totally convinced of the security benefits
> here (and I think actually 0440 is buggy for a setgid tool like chage -
> I'd have thought it would need to be 0660 to actually change the age,
> but I digress).
In Debian, the policy is that members of group shadow may read the
shadow password files (so that, given a typed-in password, they may
check whether it matches the stored hashed password) but only uid 0 may
write those files. Your file permissions seem consistent with that
policy; your distro is probably relying on setuid-root tools being able
to ignore the lack of read permission because they also get
CAP_DAC_OVERRIDE.
S
More information about the systemd-devel
mailing list