Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Simon McVittie wrote on 28/10/14 16:54:
On 28/10/14 16:34, Colin Guthrie wrote:
It seems we have different permissions for /etc/{g}shadow than fedora.
We don't package it as ,root,root but rather 0440,root,shadow.
Who is we? Mageia? FYI, Debian uses 0640 root:shadow for the same files.
Yeah in this case, I meant we=Mageia, but I figured we wouldn't be alone.
We can then run some tools that need direct access as setgid rather than
full blown setuid. I'm not totally convinced of the security benefits
here (and I think actually 0440 is buggy for a setgid tool like chage -
I'd have thought it would need to be 0660 to actually change the age,
but I digress).
In Debian, the policy is that members of group shadow may read the
shadow password files (so that, given a typed-in password, they may
check whether it matches the stored hashed password) but only uid 0 may
write those files. Your file permissions seem consistent with that
policy; your distro is probably relying on setuid-root tools being able
to ignore the lack of read permission because they also get
CAP_DAC_OVERRIDE.
That seems to fit in with what I'm seeing yes.
I'll send a patch in a moment that looks as if it would address this
issue (untested but looks safe enough - could be made a bit more
streamlined if needs be but just left it verbose for now)
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Colin Guthrie wrote on 29/10/14 14:19: I'll send a patch in a moment that looks as if it would address this issue (untested but looks safe enough - could be made a bit more streamlined if needs be but just left it verbose for now) And here is another that is more verbose... whichever coding style is considered more correct. Again untested, but looks sane to me... -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
On 28/10/14 16:34, Colin Guthrie wrote:
It seems we have different permissions for /etc/{g}shadow than fedora.
We don't package it as ,root,root but rather 0440,root,shadow.
Who is we? Mageia? FYI, Debian uses 0640 root:shadow for the same files.
We can then run some tools that need direct access as setgid rather than
full blown setuid. I'm not totally convinced of the security benefits
here (and I think actually 0440 is buggy for a setgid tool like chage -
I'd have thought it would need to be 0660 to actually change the age,
but I digress).
In Debian, the policy is that members of group shadow may read the
shadow password files (so that, given a typed-in password, they may
check whether it matches the stored hashed password) but only uid 0 may
write those files. Your file permissions seem consistent with that
policy; your distro is probably relying on setuid-root tools being able
to ignore the lack of read permission because they also get
CAP_DAC_OVERRIDE.
S
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
