On 28/10/14 16:34, Colin Guthrie wrote: > It seems we have different permissions for /etc/{g}shadow than fedora. > We don't package it as 0000,root,root but rather 0440,root,shadow.
Who is "we"? Mageia? FYI, Debian uses 0640 root:shadow for the same files. > We can then run some tools that need direct access as setgid rather than > full blown setuid. I'm not totally convinced of the security benefits > here (and I think actually 0440 is buggy for a setgid tool like chage - > I'd have thought it would need to be 0660 to actually change the age, > but I digress). In Debian, the policy is that members of group shadow may read the shadow password files (so that, given a typed-in password, they may check whether it matches the stored hashed password) but only uid 0 may write those files. Your file permissions seem consistent with that policy; your distro is probably relying on setuid-root tools being able to ignore the lack of read permission because they also get CAP_DAC_OVERRIDE. S _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel