Hi everyone, As this is my first message on the list, let me introduce myself. I'm in charge of Product Security at Eviden, and I'm currently interested in hardening some Baseboard Management Controller (BMC) running on linux (OpenBMC). As a company, we are an HPC and Enterprise server vendor.
As part of this hardening effort, we are investigating some mechanisms to segregate some critical files in a separate memory area, for instance /etc/passwd and /etc/shadow. The rationale for this is that these files may have to survive some reset-to-defaults, while being kept read-write in normal use. The user may want to change its passwords 😉. On the other hand, other files in /etc must reside in read-only memory as they are bound to the hardware. The approach we had in mind was to move the corresponding files in a different location and set a symbolic link at the usual place in /etc. During testing, we discovered shadow limitation which prevents from following links. Namely, the opening of file in lib/commonio.c uses O_NOFOLLOW flag. https://serverfault.com/questions/491033/cannot-useradd-adduser-when-etc-passwd-shadow-group-are-symlink-debian-squee As we are in some embedded linux, we could just recompile shadow without this flag. But before doing this, I'd like to understand the rationale for this flag. Can anyone provide clarification on this? Thanks in advance. Bien cordialement / Kind regards, Florent Chabaud Chief Product Security Officer – BDS M: +33 (0) 675 084 850 Rue du Gros Caillou – 78340 Les Clayes-sous-Bois – France eviden.com<https://eviden.com/> [cid:b2f33e46-ee1d-4943-893d-43694876d9c5] an atos business This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. Personal data are processed according to my company privacy policy. Unless you are the intended addressee (or authorized to receive for such intended addressee), you are not allowed to use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply to [email protected]<mailto:[email protected]> and delete the message. Thank you
_______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
