Re: /etc/shadow

To: "'Debian-Users $E-mail$'" <debian-user@lists.debian.org>
Subject: Re: /etc/shadow
From: Ethan Benson <erbenson@alaska.net>
Date: Mon, 8 Jan 2001 15:37:22 -0900
Message-id: <[🔎] 20010108153722.D29805@plato.local.lan>
Mail-followup-to: "'Debian-Users (E-mail)'" <debian-user@lists.debian.org>
In-reply-to: <[🔎] 018701c079ca$1d917300$88db3fcb@cia.com.au>; from marcadrian@cia.com.au on Tue, Jan 09, 2001 at 10:24:14AM +1100
References: <[🔎] 200101081959.RAA06444@server.splicenet.com.br> <[🔎] E14FlqU-00065C-00@riva.ucam.org> <[🔎] 018701c079ca$1d917300$88db3fcb@cia.com.au>

On Tue, Jan 09, 2001 at 10:24:14AM +1100, Marc-Adrian Napoli wrote:
> hi,
> 
> why, when i have the following:
> 
> machine:/etc#  ls -la shadow
> -rw-r-----    1 root     root         1761 Jan  9 10:34 shadow
> 
> and then i run "passwd" to change my pasword are the permissions changed as
> such:
> 
> machine:/etc#  ls -la shadow
> -rw-r-----    1 root     ppp         1761 Jan  9 10:34 shadow
> 
> ?? group ppp has gid of 42 on my system and that includes all our users.
> 
> i dont want our users to be able to see the shadow file but the permissions
> keep getting changed everytime i change someones password!

you have been messing with the standard debian user/group files:

[eb@socrates eb]$ grep 42 /usr/share/base-passwd/group.master
shadow:*:42:
[eb@socrates eb]$

passwd is probably using the hard coded gid for the shadow group
instead of the name and ensuring the shadow files have the proper
permissions.  in debian uid/gid 0-99 are reserved for debian use, you
should not alter any existing groups here (you may add users to them
of course, just don't do things like changing gid=42 from shadow to
ppp) also do not allocate your own system users/groups in the 0-99
range or else they may collide with future debian system accounts.  

look at /usr/share/base-passwd/*.master and make sure your passwd
files are consistent, resolve any conflicts by relocating your
accounts/groups to higher uid/gid ranges.  

also check debian-policy (/usr/share/doc/debian-policy) for
information about other reserved uids/gids.  basically it goes like
this:

* 0-99: debian reserved
* 100-999: reserved for dynamically allocated users/groups.  you may
  use this space for your own system users/groups.  
* 1000-29000: used for dynamically allocated standard user
  accounts, this is what uids your users should get.  
* 30000-59999: reserved.
* 60000-64999: statically allocated centrally for debian use, unlike
  the 0-99 range they are not created by default on all debian systems,
  but all debian systems that have them created will have the same
  uid/gids.  the qmail user accounts are allocated here. 
* 65000-65533: reserved.
* 65534: user nobody, group nogroup.  
* 65535: (uid_t)(-1) == (gid_t)(-1). NOT TO BE USED, because it is the
  error return sentinel value.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp3y0vHLTWc6.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: /etc/shadow
  - From: John Hasler <john@dhh.gt.org>

References:
- packages
  - From: "Antonio A. Lobato" <tom@splicenet.com.br>
- Re: packages
  - From: cjw44@flatline.org.uk (Colin Watson)
- /etc/shadow
  - From: "Marc-Adrian Napoli" <marcadrian@cia.com.au>

Prev by Date: Re: /etc/shadow
Next by Date: dirt-level networking
Previous by thread: Re: /etc/shadow
Next by thread: Re: /etc/shadow
Index(es):
- Date
- Thread