Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Simon McVittie wrote on 28/10/14 16:54: On 28/10/14 16:34, Colin Guthrie wrote: It seems we have different permissions for /etc/{g}shadow than fedora. We don't package it as ,root,root but rather 0440,root,shadow. Who is we? Mageia? FYI, Debian uses 0640 root:shadow for the same files. Yeah in this case, I meant we=Mageia, but I figured we wouldn't be alone. We can then run some tools that need direct access as setgid rather than full blown setuid. I'm not totally convinced of the security benefits here (and I think actually 0440 is buggy for a setgid tool like chage - I'd have thought it would need to be 0660 to actually change the age, but I digress). In Debian, the policy is that members of group shadow may read the shadow password files (so that, given a typed-in password, they may check whether it matches the stored hashed password) but only uid 0 may write those files. Your file permissions seem consistent with that policy; your distro is probably relying on setuid-root tools being able to ignore the lack of read permission because they also get CAP_DAC_OVERRIDE. That seems to fit in with what I'm seeing yes. I'll send a patch in a moment that looks as if it would address this issue (untested but looks safe enough - could be made a bit more streamlined if needs be but just left it verbose for now) Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
Colin Guthrie wrote on 29/10/14 14:19: I'll send a patch in a moment that looks as if it would address this issue (untested but looks safe enough - could be made a bit more streamlined if needs be but just left it verbose for now) And here is another that is more verbose... whichever coding style is considered more correct. Again untested, but looks sane to me... -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] sysusers: Unconditional chown on /etc/{passwd, group, shadow, gshadow}? Is it sane?
On 28/10/14 16:34, Colin Guthrie wrote: It seems we have different permissions for /etc/{g}shadow than fedora. We don't package it as ,root,root but rather 0440,root,shadow. Who is we? Mageia? FYI, Debian uses 0640 root:shadow for the same files. We can then run some tools that need direct access as setgid rather than full blown setuid. I'm not totally convinced of the security benefits here (and I think actually 0440 is buggy for a setgid tool like chage - I'd have thought it would need to be 0660 to actually change the age, but I digress). In Debian, the policy is that members of group shadow may read the shadow password files (so that, given a typed-in password, they may check whether it matches the stored hashed password) but only uid 0 may write those files. Your file permissions seem consistent with that policy; your distro is probably relying on setuid-root tools being able to ignore the lack of read permission because they also get CAP_DAC_OVERRIDE. S ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel