[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow passwords and GNU su

On Tue, 10 Dec 1996, Marek Michalkiewicz wrote:

> Tom Lees:
> > Since we are planning on putting shadow passwords into bo, I think that we
> > should start reoriganizing the distribution to support them now. That
> > means we should move the shadow packages into bo from experimental (they
> Definitely...
> > need a .dsc-format source package generating, though), remove the
> > existing 'login' and 'passwd' packages, and start making new binary
> There is no need to remove the existing packages - shadow-login and
> shadow-passwd can still be optional and Replace login and passwd.
> This works here without any problems (the shadow-* packages have the
> Essential flag, too).

But if Debian is supposed to be moving to shadow in general anyway, why
give new users the (rather confusing) choice?

> > 	ssh (Hmmm... this is in Debian-non-US, and still needs to work
> > 		with Debian 1.1/1.2)
> Just needs to be recompiled on a system where /etc/shadow exists,
> and configure will do the right thing (it would be better though,
> if it was modified to check for getspnam() in libc instead).
> And it will still work with 1.1/1.2 (modulo libc versions - if
> you want it to work with 1.1, you have to compile with 5.2.18).
> > 	samba
> samba-1.9.16p9 works just fine with both shadow and non-shadow
> passwords.  No changes required.

Well, it didn't for me. I tried the binary version currently in bo, and it
breaks without shadow passwords - is this a bug in shadow or samba? Then,
I upgraded to shadow, and my non-shadow version (compiled from sources)
stopped working, so I had to reinstall the normal binary. Is this just me,
or can someone verify this behaviour?

> > 	X (although xdm-shadow is included, it is not used by default)
> # cd /usr/X11R6/bin && mv xdm-shadow xdm
> (works with both shadow and non-shadow passwords, too)

Not so sure - else why supply both? See above.

> > 	adduser (more difficult)
> Ideally it should run useradd instead of modifying password files
> directly, but a simpler change should be enough for now:
>  - if /etc/shadow is present, run pwconv5 before passwd (so that
>    the new user is added to /etc/shadow as well)
>  - check exit status from the passwd command instead of checking
>    if "*" is still in /etc/passwd

This should be fairly trivial.

> > case of recompiling the binaries. However, adduser is a debian-specific
> > package, and will need some large modifications to add support for proper
> > shadow passwords (we really shouldn't be using 'useradd', etc., from the
> > shadow package).
> What is the problem with useradd, that we really shouldn't be using it?
> Inquiring minds want to know...

It doesn't follow the Debian way of doing userIDs. What I meant was not to
be using it from the sysadmin's point of view - running it *from* adduser
would be OK.

> > Secondly, what do we do with GNU su and shadow passwords? Since GNU su
> > supports shadow passwords, but is not as secure as the su which is part of
> > the shadow suite, it could become an undesirable security hole (someone
> > wants to do a 'su', but is not in group 'root', so they just run
> > '/sbin/gnu-su' instead).
> On the other hand, some very important people who are on the side of
> the masses, prefer GNU su precisely because of no access control.
> They should have the choice.


> > If we are going to move to shadow ASAP, I will upload the next shellutils
> > without the GNU su binary.
> I'd suggest to make a separate binary package containing only GNU su,
> which can be used instead of shadow-su if necessary.

I'll do that then. But do we now need a new virtual package - 'su'? (GNU
su should be marked Essential, as should shadow-su - but we only want one
of them installed - how will dpkg and dselect handle this?)

Tom Lees <tom@lpsg.demon.co.uk>			http://www.lpsg.demon.co.uk/
PGP ID 87D4D065, fingerprint 2A 66 86 9D 02 4D A6 1E  B8 A2 17 9D 4F 9B 89 D6
finger tom@master.debian.org for full public key (also available on keyservers)

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: