[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow passwords and GNU su

> Tom Lees:
> > But if Debian is supposed to be moving to shadow in general anyway, why
> > give new users the (rather confusing) choice?
> Right now, the shadow packages need more testing.  Maybe later...
> Many people run single user systems and don't need shadow passwords.

But having shadow password won't hurt them.

Once installed, shadow passwords are invisible to the user.

And if security is an issue, install /etc/shadow chgrp to shadow and g+rw, then required binaries can be installed setgid to shadow and do not need to run setuid to root.

I see no reason not to use shadow systemwide.  I believe that other distributions are doing that already (RedHat?) and I know FreeBSD has been doing that for a long time.

I had installed shadow passwording manually (that is, without a Debian package) a while back already.  When I upgraded to 1.2, I made sure to install the shadow packages in project/experimental (I believe that's the right path).  But I found that xdm, etc. were not compiled for support with shadow and I do not want to have to go back again and recompile all that stuff yet again.

There are those of us (like me) using Debian in a security-critical situation, and I am very nervous at the moment because I have "unshadowed" my system until I can get everything recompiled for shadow passwords.

In my opinion, shadow passwords are simple to implement yet go a long way towards maintaining system integrity.  I think that the addition of full shadow password support to Debian should be immediately implemented.

Also note: the /usr/X11R6/lib/X11/config/linux.cf file needs to be modified to indicate that the system is using shadow passwords before compiling the programs like xdm for Debian.  Once this change is made, xmkmf will correctly configure everything to use shadow passwords.

John Goerzen

John Goerzen          | System administrator & owner, The Communications
Custom programming    | Centre and Complete Network (complete.org)
jgoerzen@complete.org | Free Unix shell access, 316-367-8490 w/ your modem.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: