[Pkg-shadow-devel] [PATCH 0/5] Make shadow more robust in hostile environments
Dimitri John Ledkov
dimitri.j.ledkov at intel.com
Fri Mar 20 13:49:56 UTC 2015
I'm patching shadow to be more robust when operating in a-typical
environments, but these improvements are general enough, that I
believe warrant inclusion upstream by default.
Specifically there are deployments that use nss-altfiles /
nss-extrausers and thus ship alternative group/passwd/shadow/gshadow
files elsewhere on the filesystem (e.g. /var/lib/passwd). In such
configurations admin modifiable files /etc/passwd, /etc/group and so
on may not exist. Furthermore if one is bootstrapping a new
distribution from scratch, it would be nice to point shadow utilities
at an empty /etc and start creating default system accounts with
useradd/usermod/groupadd/etc utilities without writing initial files
by hand. Hence these changes:
* create all databases, with correct (?! used typical permissions
here, please correct if different defaults are desired) permissions,
even if they are missing / are empty.
* next /etc/shadow file existence is used as a flag file, whether or
not shadow passwords should be used. I think this is very odd, hence
I add FORCE_SHADOW option to make sure shadow/gshadow are used, even
if those files are non-existent.
* during testing I have noticed that when shadow is compiled with PAM
support, settings that are not-applicable any more, but present in
the stock /etc/login.defs are being complained about. So I made a
change for shadow to not complain about well-known settings, which
are not in effect when compiled with PAM support. If this is
undesirable, maybe instead we would want to pre-process login.defs
at compile time to make sure they do not contain any unknown
settings in a given configuration (with/without pam, with/without
* Lastly, I noticed that login command would bail out and exit, if
/etc/login.defs file is not present on disk. I find that very odd -
given that there are compiled in defaults for every single value for
all shadow utils to operate normally. Thus I made it non fatal for
login to operate without /etc/login.defs.
Overall my goal is to have fully usable system with empty /etc and
with these initial patches this is achievable. At the moment I'm also
working on adding full usermod support, when operating with
nss-altfiles. I believe multiple projects with broadly similar goals
would be interested in such support, e.g. all the
snapshot/image/read-only/container like deployments.
Please review and consider including these patches.
I have also pasted this merge proposal on github at:
Not sure where the right upstream is for shadow, so I'm hoping to
reach all the maintainers.
Dimitri John Ledkov (5):
Do not bail out on missing login.defs.
Do not report unknown settings, when compiled with PAM.
Do not fail on missing files in /etc/, create them instead.
Force use shadow, even if missing.
Create dbs with correct permissions.
etc/login.defs | 5 ++++
lib/commonio.c | 7 ++---
lib/commonio.h | 6 ++++
lib/getdef.c | 80 ++++++++++++++++++++++++++++++++++-------------------
lib/groupio.c | 3 ++
lib/pwio.c | 3 ++
lib/sgroupio.c | 5 ++++
lib/shadowio.c | 5 ++++
lib/subordinateio.c | 6 ++++
src/chage.c | 4 +--
src/chfn.c | 2 +-
src/chgpasswd.c | 4 +--
src/chpasswd.c | 4 +--
src/chsh.c | 2 +-
src/gpasswd.c | 4 +--
src/groupadd.c | 4 +--
src/groupdel.c | 4 +--
src/groupmems.c | 4 +--
src/groupmod.c | 6 ++--
src/grpck.c | 4 +--
src/grpconv.c | 2 +-
src/grpunconv.c | 2 +-
src/newusers.c | 12 ++++----
src/passwd.c | 4 +--
src/pwck.c | 6 ++--
src/pwconv.c | 2 +-
src/pwunconv.c | 2 +-
src/useradd.c | 12 ++++----
src/userdel.c | 12 ++++----
src/usermod.c | 12 ++++----
30 files changed, 141 insertions(+), 87 deletions(-)
More information about the Pkg-shadow-devel