[Pkg-shadow-devel] [PATCH v2 5/5] Allow creating shadow files, when missing, via an option.

Wed Apr 8 01:47:24 UTC 2015

On 7 April 2015 at 09:17, Dimitri John Ledkov
<dimitri.j.ledkov at intel.com> wrote:
> On 6 April 2015 at 17:47, Mike Frysinger <vapier at gentoo.org> wrote:
>> On 06 Apr 2015 10:24, Dimitri John Ledkov wrote:
>>> On 5 April 2015 at 03:50, Mike Frysinger wrote:
>>> > On 01 Apr 2015 13:43, Dimitri John Ledkov wrote:
>>> >> +#
>>> >> +# Create shadow(5) and gshadow(5) files, when operations are invoked
>>> >> +# that could modify those. E.g. passwd/useradd/userdel/usermod etc.
>>> >> +# If this option is not set, shadow(5)/gshadow(5) files are updated,
>>> >> +# only if already present on disk.
>>> >> +#
>>> >> +#
>>> >> +#CREATE_SHADOW    yes
>>> >> ...
>>> >>  bool sgr_file_present (void)
>>> >>  {
>>> >> +     if (getdef_bool ("CREATE_SHADOW"))
>>> >> +             return true;
>>> >>       return commonio_present (&gshadow_db);
>>> >>  }
>>> >
>>> > looks to me like you're changing the default ?  it is now disabled by default
>>> > instead of enabled by default.
>>> >
>>>
>>> All options are disabled by default. The bit in the config file is
>>> commented out, thus getdef_bool will return false by default. Thus the
>>> presence of gsahdow_db will remain as the default condition as to
>>> whether to use gshadow file or not. (same for shadow)
>>>
>>> Should first hunk then instead be:
>>>
>>> +#CREATE_SHADOW no
>>>
>>> ? And the manpage update, once this is settled.
>>
>> what i mean is that today, the behavior is as if you set:
>> CREATE_SHADOW yes
>>
>> but after your patch, the behavior is:
>> CREATE_SHADOW no
>>
>
> Today the behaviour is "CREATE_SHADOW no"
>
> rm /etc/shadow
> passwd
> (change password)
>
> Notice that:
> * /etc/shadow is not created
> * the hashed password ends up in /etc/passwd
>
> I could do "CREATE_SHADOW no" or even "# CREATE_SHADOW no" (e.g. to
> show that if not set, default is 'no')

Well... I guess the confusion arises from "O_RDWR implies O_CREATE" patch.
So implying O_CREATE is sufficient to create /etc/group /etc/passwd
and so on, but not to create /etc/shadow & /etc/gshadow.
This is because there are extra explicit checks for shadow file presence e.g.:

if (spw_file_present ()) {
                update_shadow ();
        } else {
                update_noshadow ();
        }

Since it is currently supported to operate without shadow, and when
missing _open(O_RDWR) is not even attempted and hence implying
O_CREATE doesn't help here.

-- 
Regards,

Dimitri.

https://clearlinux.org
Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.