[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/shadow

On Tue, Jan 09, 2001 at 10:24:14AM +1100, Marc-Adrian Napoli wrote:
> hi,
> why, when i have the following:
> machine:/etc#  ls -la shadow
> -rw-r-----    1 root     root         1761 Jan  9 10:34 shadow
> and then i run "passwd" to change my pasword are the permissions changed as
> such:
> machine:/etc#  ls -la shadow
> -rw-r-----    1 root     ppp         1761 Jan  9 10:34 shadow
> ?? group ppp has gid of 42 on my system and that includes all our users.
> i dont want our users to be able to see the shadow file but the permissions
> keep getting changed everytime i change someones password!

you have been messing with the standard debian user/group files:

[eb@socrates eb]$ grep 42 /usr/share/base-passwd/group.master
[eb@socrates eb]$

passwd is probably using the hard coded gid for the shadow group
instead of the name and ensuring the shadow files have the proper
permissions.  in debian uid/gid 0-99 are reserved for debian use, you
should not alter any existing groups here (you may add users to them
of course, just don't do things like changing gid=42 from shadow to
ppp) also do not allocate your own system users/groups in the 0-99
range or else they may collide with future debian system accounts.  

look at /usr/share/base-passwd/*.master and make sure your passwd
files are consistent, resolve any conflicts by relocating your
accounts/groups to higher uid/gid ranges.  

also check debian-policy (/usr/share/doc/debian-policy) for
information about other reserved uids/gids.  basically it goes like

* 0-99: debian reserved
* 100-999: reserved for dynamically allocated users/groups.  you may
  use this space for your own system users/groups.  
* 1000-29000: used for dynamically allocated standard user
  accounts, this is what uids your users should get.  
* 30000-59999: reserved.
* 60000-64999: statically allocated centrally for debian use, unlike
  the 0-99 range they are not created by default on all debian systems,
  but all debian systems that have them created will have the same
  uid/gids.  the qmail user accounts are allocated here. 
* 65000-65533: reserved.
* 65534: user nobody, group nogroup.  
* 65535: (uid_t)(-1) == (gid_t)(-1). NOT TO BE USED, because it is the
  error return sentinel value.

Ethan Benson

Attachment: pgpBC1_yVCR9n.pgp
Description: PGP signature

Reply to: