[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow passwords and GNU su

John Goerzen <jgoerzen@complete.org> wrote:
>> Tom Lees:
>> > But if Debian is supposed to be moving to shadow in general anyway, why
>> > give new users the (rather confusing) choice?
>> Right now, the shadow packages need more testing.  Maybe later...
>> Many people run single user systems and don't need shadow passwords.
>But having shadow password won't hurt them.
>Once installed, shadow passwords are invisible to the user.
>And if security is an issue, install /etc/shadow chgrp to shadow and g+rw, the
>n required binaries can be installed setgid to shadow and do not need to run s
>etuid to root.

If /etc/shadow is g+rw, then sgid shadow becomes, in effect, suid root (because
the ability to get shadow group access effectively would allow you to gain
root access - just edit /etc/shadow.)

At most, it should be g+r. (IMO)

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: