[Pkg-shadow-devel] Bug#554170: passwd: handle /var/backups/passwd.bak

Justin B Rye jbr at edlug.org.uk
Fri Mar 19 22:09:44 UTC 2010

Nicolas François wrote:
> Justin B Rye wrote:
>> [...]
>> Or preferably something more like this:
>> ----------------------------------------------------------------------
>> #!/bin/sh
>> cd /var/backups || exit 0
>> for	FILE in passwd group shadow gshadow; do
>> 	test -f /etc/$FILE		|| continue
>> 	cmp -s $FILE.bak /etc/$FILE	&& continue
>> 	install --preserve-context -pm 0600 /etc/$FILE $FILE.bak
>> done
>> ----------------------------------------------------------------------
> Is there a reason you changed cp + chmod to install --preserve-context ?
> The --preserve-context causes warnings (which would be sent daily) on
> non-SELinux machines.

Oh, sorry!  I'm even using a non-SELinux kernel right now - so that
tells me which machine I must have been on when I did my testing.
Okay, scratch that "--preserve-context".

Usually I'd go for the "install -pm 0600" approach because it has
the advantage of not leaving the permissions wrong for a moment;
but in this case, that only means there's a window of opportunity
for members of the shadow group to read data they could already see
in the original file...  In fact it's not quite clear to me why the
permissions would _need_ to be tightened up.

Using the same install command on all these files also loses the
opportunity to preserve the shadow group-ownership on /etc/*shadow.
But then again if you're stripping the group-readable bit why would
you _want_ to preserve the group-ownership?

Anyway, as I say, the whole point of this bugreport was that the
Shadow Cabal would know best what's appropriate here...
Ankh kak! (Ancient Egyptian blessing)

More information about the Pkg-shadow-devel mailing list