[Pkg-shadow-devel] [PATCH 0/5] Make shadow more robust in hostile environments

Dimitri John Ledkov dimitri.j.ledkov at intel.com
Mon Mar 30 09:55:04 UTC 2015

On 22 March 2015 at 06:04, Mike Frysinger <vapier at gentoo.org> wrote:
> On 20 Mar 2015 13:49, Dimitri John Ledkov wrote:
>> * during testing I have noticed that when shadow is compiled with PAM
>>   support, settings that are not-applicable any more, but present in
>>   the stock /etc/login.defs are being complained about. So I made a
>>   change for shadow to not complain about well-known settings, which
>>   are not in effect when compiled with PAM support. If this is
>>   undesirable, maybe instead we would want to pre-process login.defs
>>   at compile time to make sure they do not contain any unknown
>>   settings in a given configuration (with/without pam, with/without
>>   subuids, etc.)
> i think it is desirable to warn.  i've gotten reports where users tried to
> modify the file while using pam and were surprised by the result.  in Gentoo,
> we process the file during install when pam is on so each of the options gets
> a banner above it:
> # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
> if shadow itself did that munging, it'd be nice
> -mike

Ok, I'll work on fixing that.



Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.

More information about the Pkg-shadow-devel mailing list