[Pkg-shadow-devel] [PATCH 0/5] Make shadow more robust in hostile environments

Mike Frysinger vapier at gentoo.org
Sun Mar 22 06:04:13 UTC 2015

On 20 Mar 2015 13:49, Dimitri John Ledkov wrote:
> * during testing I have noticed that when shadow is compiled with PAM
>   support, settings that are not-applicable any more, but present in
>   the stock /etc/login.defs are being complained about. So I made a
>   change for shadow to not complain about well-known settings, which
>   are not in effect when compiled with PAM support. If this is
>   undesirable, maybe instead we would want to pre-process login.defs
>   at compile time to make sure they do not contain any unknown
>   settings in a given configuration (with/without pam, with/without
>   subuids, etc.)

i think it is desirable to warn.  i've gotten reports where users tried to 
modify the file while using pam and were surprised by the result.  in Gentoo,
we process the file during install when pam is on so each of the options gets
a banner above it:
# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.

if shadow itself did that munging, it'd be nice
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20150322/a8dd133c/attachment.sig>

More information about the Pkg-shadow-devel mailing list