On Tue, Jan 09, 2001 at 10:24:14AM +1100, Marc-Adrian Napoli wrote: > hi, > > why, when i have the following: > > machine:/etc# ls -la shadow > -rw-r----- 1 root root 1761 Jan 9 10:34 shadow > > and then i run "passwd" to change my pasword are the permissions changed as > such: > > machine:/etc# ls -la shadow > -rw-r----- 1 root ppp 1761 Jan 9 10:34 shadow > > ?? group ppp has gid of 42 on my system and that includes all our users. > > i dont want our users to be able to see the shadow file but the permissions > keep getting changed everytime i change someones password! you have been messing with the standard debian user/group files: [eb@socrates eb]$ grep 42 /usr/share/base-passwd/group.master shadow:*:42: [eb@socrates eb]$ passwd is probably using the hard coded gid for the shadow group instead of the name and ensuring the shadow files have the proper permissions. in debian uid/gid 0-99 are reserved for debian use, you should not alter any existing groups here (you may add users to them of course, just don't do things like changing gid=42 from shadow to ppp) also do not allocate your own system users/groups in the 0-99 range or else they may collide with future debian system accounts. look at /usr/share/base-passwd/*.master and make sure your passwd files are consistent, resolve any conflicts by relocating your accounts/groups to higher uid/gid ranges. also check debian-policy (/usr/share/doc/debian-policy) for information about other reserved uids/gids. basically it goes like this: * 0-99: debian reserved * 100-999: reserved for dynamically allocated users/groups. you may use this space for your own system users/groups. * 1000-29000: used for dynamically allocated standard user accounts, this is what uids your users should get. * 30000-59999: reserved. * 60000-64999: statically allocated centrally for debian use, unlike the 0-99 range they are not created by default on all debian systems, but all debian systems that have them created will have the same uid/gids. the qmail user accounts are allocated here. * 65000-65533: reserved. * 65534: user nobody, group nogroup. * 65535: (uid_t)(-1) == (gid_t)(-1). NOT TO BE USED, because it is the error return sentinel value. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp3y0vHLTWc6.pgp
Description: PGP signature