[Pkg-shadow-devel] Bug#166793: Confirmed b ut is it a bug  ? pwconv does not create shadow "root.shadow"

[Nicolas François]

On Mon, Apr 11, 2005 at 07:04:09PM +0200, Christian Perrier wrote:
> I confirm that pwconv does not indeed create the /etc/shadow file as
> root.shadow.
> 
> However, the file is also created 0400, so the group owning it is not
> really useful.
> 
> So, what is the most appropriate for /etc/shadow:
> 
> -0400 root.whatever
> -0440 root.shadow
> 
> I tend to prefer the first solution. The latter would have one only
> benefit : allow "setgid shadow" utilities to read shadow....and we
> don't seem to have some of these in Debian.
> 
> Comments?

I rather like the second one (but this may be Debian specific). Here are
my arguments:

 * the cyrus authentication daemon (as stated by the submitter)
   permits to authenticate an imap user, and can need (this is neither the
   default, nor a recommended authentication method) the shadow file.
   Cyrus recommend to add the cyrus user to the shadow group when this
   authentication method is used.

 * shadowconfig uses "chown root:shadow shadow gshadow" (this is a
   Debian specific script, used IIRC during an installation).

 * passwd will also change the owner and permissions after every password
   changes (however, these modifications are performed by PAM, in a Debian
   patch for PAM)

 * chage and expiry are setgid shadow (this is Debian specific)
   This permits an user to find the age of her own password.

 * the doc/HOWTO file mentions many times the shadow group (but this file
   is not distributed, so it's maybe not an argument;)


Kind Regards,
-- 
Nekral