[systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Colin Guthrie
gmane at colin.guthr.ie
Wed Oct 29 07:19:28 PDT 2014
Simon McVittie wrote on 28/10/14 16:54:
> On 28/10/14 16:34, Colin Guthrie wrote:
>> It seems we have different permissions for /etc/{g}shadow than fedora.
>> We don't package it as 0000,root,root but rather 0440,root,shadow.
>
> Who is "we"? Mageia? FYI, Debian uses 0640 root:shadow for the same files.
Yeah in this case, I meant we=Mageia, but I figured we wouldn't be alone.
>> We can then run some tools that need direct access as setgid rather than
>> full blown setuid. I'm not totally convinced of the security benefits
>> here (and I think actually 0440 is buggy for a setgid tool like chage -
>> I'd have thought it would need to be 0660 to actually change the age,
>> but I digress).
>
> In Debian, the policy is that members of group shadow may read the
> shadow password files (so that, given a typed-in password, they may
> check whether it matches the stored hashed password) but only uid 0 may
> write those files. Your file permissions seem consistent with that
> policy; your distro is probably relying on setuid-root tools being able
> to ignore the lack of read permission because they also get
> CAP_DAC_OVERRIDE.
That seems to fit in with what I'm seeing yes.
I'll send a patch in a moment that looks as if it would address this
issue (untested but looks safe enough - could be made a bit more
streamlined if needs be but just left it verbose for now)
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the systemd-devel
mailing list