On Mon, 06 May 2013 21:50:52 +0200
Arthur de Jong <adej...@debian.org> wrote:
> [...]
>
> Determining who can see what information consists of basically two
> separate decisions (where those who have access to the hash are a subset
> of those who have access to the other information).
>
> (there is actually a third case because nslcd can, under specific
> circumstances, expose password hashes as part of the getent passwd
> request but that could be analogous to the access to the shadow hash
> decision)
>
> Suggestions as to how to specify this in the configuration file are
> welcome. I am looking for a proper solution for this.
Perhaps a lightweight ACL syntax like:
allow|deny MAP from user USER|group GROUP|all
For example:
allow shadow from user root
allow shadow from group shadow
deny shadow from all
(Earlier ACLs would take precedence.)
You could have similar syntax for mapping attributes, such as:
map shadow userPassword userPassword from user root
map shadow userPassword userPassword from group shadow
map shadow userPassword "*" from all
(to expose userPassword only to root and shadow)
This is way more flexibility than I (and probably most people) would
need but it seems like the most general solution.
> As a quick fix I could also make a patch that also returns the shadow
> information to requests from processes with group shadow. Such a patch
> could perhaps be considered for wheezy (if approved by the stable
> release team).
That seems like a nice quick fix.
> Some workarounds that are available as of now:
> - make the pwauth binary suid root (obviously not ideal)
> - remove ldap from the shadow line in /etc/nsswitch.conf
>
> The second option should result in pam_unix skipping the authorisation
> check (when using nslcd 0.8.4 or newer). Since nslcd performs the same
> checks (which should still be performed) this should not be a problem.
Thanks for the info about the second workaround. When we upgrade to
Wheezy that's probably what we'll do. There shouldn't be any downside
to removing ldap from the shadow line in nsswitch.conf, right? I can't
think of any.
For now I've gone with the first workaround. It's not ideal but
upstream pwauth actually ships setuid-root so I don't feel *too* bad
about it.
> Thanks for your bug report pointing out the shadow group,
Sure thing. Thanks for your work on Debian!
-- Andrew
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
