[Pkg-shadow-devel] [PATCH 4/5] Force use shadow, even if missing.

Dimitri John Ledkov dimitri.j.ledkov at intel.com
Mon Mar 30 09:45:59 UTC 2015


Heya,

On 22 March 2015 at 06:14, Mike Frysinger <vapier at gentoo.org> wrote:
> On 20 Mar 2015 13:50, Dimitri John Ledkov wrote:
>> +#
>> +# Force use shadow, even if shadow passwd & shadow group files are
>> +# missing.
>> +#
>> +#FORCE_SHADOW    yes
>
> i think this documentation/naming is confusing.  it has no bearing on `login`
> behavior and whether it will use a password set directly in /etc/passwd or
> require one to be set in /etc/shadow.
> -mike

I agree that the naming above is confusing, and I would be open to
change it to anything else.

LOGIN.DEFS(5) login.defs - shadow password suite configuration, has
options that affect passwd/useradd/usermod and pretty much everything
other binary shipped by shadow project. So despite named "logind.defs"
it does configure everything in the shadow project. I guess a manpage
needs an update, with cross reference that it affects passwd,
chgpasswd, chpasswd, gpasswd.

Or can we make it mandatory to use shadow, without an option?! In
practice /etc/shadow should be present everywhere, and with this patch
series tweaked would be created and used if missing. Imho, nobody
should be using passwd/login that does not support /etc/shadow today,
so there should be no harm in starting to enforce its usage. Thus
would also mean, not introducing yet another insecure option for users
to toggle.


-- 
Regards,

Dimitri.

https://clearlinux.org/
Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.



More information about the Pkg-shadow-devel mailing list