tcb for debian?

To: debian-devel@lists.debian.org
Subject: tcb for debian?
From: Alexander Reelsen <ref@tretmine.org>
Date: Mon, 27 Jan 2003 09:40:52 +0100
Message-id: <[🔎] 20030127084052.GA32512@tretmine.org>
Mail-followup-to: debian-devel@lists.debian.org

Hi

I was just taking a look at tcb from the openwall project. A quick look at
packages.debian.org revealed that it seems not to be included in debian
yet.

Quick description (from the manpage)
With  the  traditional password shadowing scheme, password hashes and
password aging  information  of  all  users  is stored  in one file,
/etc/shadow.  Therefore, if a process requires access to information on a
single  user,  it  is forced  to  possess  privileges  which  are
sufficient to access data on all users.  This is a design flaw, which is
most  clearly  visible  in  the case of passwd(1) utility.  Let's assume
that unprivileged users are to be allowed  to change  their  own
passwords.   Whatever  permissions are assigned to /etc/shadow, passwd(1),
invoked  by  unprivi- leged  user U, must be able to modify the contents
of this file.  If malicious user U finds  a  way  to  control  the
passwd(1)  process  (with the help of a buffer overflow or another bug in
the passwd(1) code,  in  the  libraries  it uses,  or  in the kernel), the
user will be able to change passwords of all users and thus obtain full
control  over the system.

The  solution  is  straightforward - each user is assigned its own,
separate shadow-style file.  User U's shadow file is  owned by U, so
passwd(1) invoked by U does not require superuser privileges.

The directory where all  users'  shadow  files  reside  is /etc/tcb.


The principle sounds quite good, however there is one major drawback:

The tcb package contains core components of our tcb suite implementing the
alternative password shadowing scheme on Owl. It is being made available
separately from Owl primarily for use by other distributions. Note that
you need to have the password hashing framework introduced with
crypt_blowfish patched into glibc to compile this.


It is very unlikely that such a small package which is not used that much,
will get into debian if the glibc has to be patched, right?
The glibc patch of the crypt_blowfish package is not even 2kb "big". (3
lines added, however some files have to be copied additionally and the
patch is for glibc 2.1.3)


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://tretmine.org
ref@tretmine.org

Reply to:

Follow-Ups:
- Re: tcb for debian?
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: R:UNSUBSCRIBE
Next by Date: Re: Bug#176267: ITP: mplayer -- Mplayer is a full-featured audioand video player for UN*X like systems
Previous by thread: R:UNSUBSCRIBE
Next by thread: Re: tcb for debian?
Index(es):
- Date
- Thread