Shadow passwords were enabled by default in r28936, but most of the benefit
was not realized because the shadow file was allowed to be world-readable.
This change sets /etc/shadow's mode to 0600 in the base-files package, and
ensures that its permissions are not clobbered when building an image.
Signed-off-by: Mark Mentovai <m...@moxienet.com>
---
Index: include/image.mk
===================================================================
--- include/image.mk (revision 31782)
+++ include/image.mk (working copy)
@@ -142,7 +142,7 @@
define Image/mkfs/prepare/default
# Use symbolic permissions to avoid clobbering SUID/SGID/sticky bits
- - $(FIND) $(TARGET_DIR) -type f -not -perm +0100 -not -name 'ssh_host*'
-print0 | $(XARGS) -0 chmod u+rw,g+r,o+r
+ - $(FIND) $(TARGET_DIR) -type f -not -perm +0100 -not -name 'ssh_host*'
-not -name shadow -print0 | $(XARGS) -0 chmod u+rw,g+r,o+r
- $(FIND) $(TARGET_DIR) -type f -perm +0100 -print0 | $(XARGS) -0 chmod
u+rwx,g+rx,o+rx
- $(FIND) $(TARGET_DIR) -type d -print0 | $(XARGS) -0 chmod
u+rwx,g+rx,o+rx
$(INSTALL_DIR) $(TARGET_DIR)/tmp
Index: package/base-files/Makefile
===================================================================
--- package/base-files/Makefile (revision 31782)
+++ package/base-files/Makefile (working copy)
@@ -453,6 +453,7 @@
# from /etc/passwd, and adding on pw change data
cut -d ':' -f 1-2 $(1)/etc/passwd > $(1)/etc/shadow; \
$(SED) 's/$$$$/:0:0:99999:7:::/' $(1)/etc/shadow
+ chmod 0600 $(1)/etc/shadow
$(VERSION_SED) \
$(1)/etc/banner \
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
