[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow passwords and GNU su

Tom Lees:
> Since we are planning on putting shadow passwords into bo, I think that we
> should start reoriganizing the distribution to support them now. That
> means we should move the shadow packages into bo from experimental (they


> need a .dsc-format source package generating, though), remove the
> existing 'login' and 'passwd' packages, and start making new binary

There is no need to remove the existing packages - shadow-login and
shadow-passwd can still be optional and Replace login and passwd.
This works here without any problems (the shadow-* packages have the
Essential flag, too).

> 	ssh (Hmmm... this is in Debian-non-US, and still needs to work
> 		with Debian 1.1/1.2)

Just needs to be recompiled on a system where /etc/shadow exists,
and configure will do the right thing (it would be better though,
if it was modified to check for getspnam() in libc instead).
And it will still work with 1.1/1.2 (modulo libc versions - if
you want it to work with 1.1, you have to compile with 5.2.18).

> 	samba

samba-1.9.16p9 works just fine with both shadow and non-shadow
passwords.  No changes required.

> 	X (although xdm-shadow is included, it is not used by default)

# cd /usr/X11R6/bin && mv xdm-shadow xdm
(works with both shadow and non-shadow passwords, too)

> 	adduser (more difficult)

Ideally it should run useradd instead of modifying password files
directly, but a simpler change should be enough for now:
 - if /etc/shadow is present, run pwconv5 before passwd (so that
   the new user is added to /etc/shadow as well)
 - check exit status from the passwd command instead of checking
   if "*" is still in /etc/passwd

> case of recompiling the binaries. However, adduser is a debian-specific
> package, and will need some large modifications to add support for proper
> shadow passwords (we really shouldn't be using 'useradd', etc., from the
> shadow package).

What is the problem with useradd, that we really shouldn't be using it?
Inquiring minds want to know...

> Secondly, what do we do with GNU su and shadow passwords? Since GNU su
> supports shadow passwords, but is not as secure as the su which is part of
> the shadow suite, it could become an undesirable security hole (someone
> wants to do a 'su', but is not in group 'root', so they just run
> '/sbin/gnu-su' instead).

On the other hand, some very important people who are on the side of
the masses, prefer GNU su precisely because of no access control.
They should have the choice.

> If we are going to move to shadow ASAP, I will upload the next shellutils
> without the GNU su binary.

I'd suggest to make a separate binary package containing only GNU su,
which can be used instead of shadow-su if necessary.


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: