[Pkg-shadow-devel] [PATCH 0/5] Make shadow more robust in hostile environments

Dimitri John Ledkov dimitri.j.ledkov at intel.com
Fri Mar 20 13:49:56 UTC 2015

I'm patching shadow to be more robust when operating in a-typical
environments, but these improvements are general enough, that I
believe warrant inclusion upstream by default.

Specifically there are deployments that use nss-altfiles /
nss-extrausers and thus ship alternative group/passwd/shadow/gshadow
files elsewhere on the filesystem (e.g. /var/lib/passwd). In such
configurations admin modifiable files /etc/passwd, /etc/group and so
on may not exist. Furthermore if one is bootstrapping a new
distribution from scratch, it would be nice to point shadow utilities
at an empty /etc and start creating default system accounts with
useradd/usermod/groupadd/etc utilities without writing initial files
by hand. Hence these changes:

* create all databases, with correct (?! used typical permissions
  here, please correct if different defaults are desired) permissions,
  even if they are missing / are empty.

* next /etc/shadow file existence is used as a flag file, whether or
  not shadow passwords should be used. I think this is very odd, hence
  I add FORCE_SHADOW option to make sure shadow/gshadow are used, even
  if those files are non-existent.

* during testing I have noticed that when shadow is compiled with PAM
  support, settings that are not-applicable any more, but present in
  the stock /etc/login.defs are being complained about. So I made a
  change for shadow to not complain about well-known settings, which
  are not in effect when compiled with PAM support. If this is
  undesirable, maybe instead we would want to pre-process login.defs
  at compile time to make sure they do not contain any unknown
  settings in a given configuration (with/without pam, with/without
  subuids, etc.)

* Lastly, I noticed that login command would bail out and exit, if
  /etc/login.defs file is not present on disk. I find that very odd -
  given that there are compiled in defaults for every single value for
  all shadow utils to operate normally. Thus I made it non fatal for
  login to operate without /etc/login.defs.

Overall my goal is to have fully usable system with empty /etc and
with these initial patches this is achievable. At the moment I'm also
working on adding full usermod support, when operating with
nss-altfiles. I believe multiple projects with broadly similar goals
would be interested in such support, e.g. all the
snapshot/image/read-only/container like deployments.

Please review and consider including these patches.

I have also pasted this merge proposal on github at:

Not sure where the right upstream is for shadow, so I'm hoping to
reach all the maintainers.

Dimitri John Ledkov (5):
  Do not bail out on missing login.defs.
  Do not report unknown settings, when compiled with PAM.
  Do not fail on missing files in /etc/, create them instead.
  Force use shadow, even if missing.
  Create dbs with correct permissions.

 etc/login.defs      |  5 ++++
 lib/commonio.c      |  7 ++---
 lib/commonio.h      |  6 ++++
 lib/getdef.c        | 80 ++++++++++++++++++++++++++++++++++-------------------
 lib/groupio.c       |  3 ++
 lib/pwio.c          |  3 ++
 lib/sgroupio.c      |  5 ++++
 lib/shadowio.c      |  5 ++++
 lib/subordinateio.c |  6 ++++
 src/chage.c         |  4 +--
 src/chfn.c          |  2 +-
 src/chgpasswd.c     |  4 +--
 src/chpasswd.c      |  4 +--
 src/chsh.c          |  2 +-
 src/gpasswd.c       |  4 +--
 src/groupadd.c      |  4 +--
 src/groupdel.c      |  4 +--
 src/groupmems.c     |  4 +--
 src/groupmod.c      |  6 ++--
 src/grpck.c         |  4 +--
 src/grpconv.c       |  2 +-
 src/grpunconv.c     |  2 +-
 src/newusers.c      | 12 ++++----
 src/passwd.c        |  4 +--
 src/pwck.c          |  6 ++--
 src/pwconv.c        |  2 +-
 src/pwunconv.c      |  2 +-
 src/useradd.c       | 12 ++++----
 src/userdel.c       | 12 ++++----
 src/usermod.c       | 12 ++++----
 30 files changed, 141 insertions(+), 87 deletions(-)


More information about the Pkg-shadow-devel mailing list