[Pkg-shadow-devel] [PATCH 4/5] Force use shadow, even if missing.

Dimitri John Ledkov dimitri.j.ledkov at intel.com
Mon Mar 30 09:45:59 UTC 2015


On 22 March 2015 at 06:14, Mike Frysinger <vapier at gentoo.org> wrote:
> On 20 Mar 2015 13:50, Dimitri John Ledkov wrote:
>> +#
>> +# Force use shadow, even if shadow passwd & shadow group files are
>> +# missing.
>> +#
>> +#FORCE_SHADOW    yes
> i think this documentation/naming is confusing.  it has no bearing on `login`
> behavior and whether it will use a password set directly in /etc/passwd or
> require one to be set in /etc/shadow.
> -mike

I agree that the naming above is confusing, and I would be open to
change it to anything else.

LOGIN.DEFS(5) login.defs - shadow password suite configuration, has
options that affect passwd/useradd/usermod and pretty much everything
other binary shipped by shadow project. So despite named "logind.defs"
it does configure everything in the shadow project. I guess a manpage
needs an update, with cross reference that it affects passwd,
chgpasswd, chpasswd, gpasswd.

Or can we make it mandatory to use shadow, without an option?! In
practice /etc/shadow should be present everywhere, and with this patch
series tweaked would be created and used if missing. Imho, nobody
should be using passwd/login that does not support /etc/shadow today,
so there should be no harm in starting to enforce its usage. Thus
would also mean, not introducing yet another insecure option for users
to toggle.



Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.

More information about the Pkg-shadow-devel mailing list