On Wed, Jan 12, 2005 at 11:00:56PM -0500, David Mandelberg wrote: > Package: base-passwd > Version: 3.5.9 > Severity: wishlist > Tags: patch > > Hi, > > I added a few users and groups to doc/users-and-groups.sgml, and > corrected some spelling errors. See the patch below for more info.
Thanks! Sorry for the delay in replying to this. > @@ -565,7 +636,8 @@ > <term>shadow</term> > <listitem> > <para> > - <filename>/etc/shadow</filename> is readable by this group. Some > + <filename>/etc/shadow</filename> and > + <filename>/var/backups/shadow.bak</filename> are readable by this > group. Some > programs that need to be able to access the file are setgid > shadow. > </para> On my system, /var/backups/shadow.bak is owned by group shadow, but is not readable by it (i.e. it's root:shadow 0600). > + <varlistentry> > + <term>ssh</term> > + <listitem> > + <para> > + HELP: <filename>/usr/bin/ssh-agent</filename> is setgid to ssh, why > I > + don't know. > + </para> > + </listitem> > + </varlistentry> This is to prevent ptrace attacks; you can't strace a setgid program unless you're root. See the changelog for openssh 1:3.5p1-1. > + <varlistentry> > + <term>sshd</term> > + <listitem> > + <para> > + HELP: This is in my <filename>/etc/passwd<filename>, but doesn't > + appear to be used for anything. It's probably a relic user that > + <command>sshd</command> used to use for its pid file or > + something similar. > + </para> > + </listitem> > + </varlistentry> No, it's the unprivileged user used by (privsep) sshd when communicating with the network before successful authentication. See sshd_config(5). Otherwise, looks good to me. Committed, and will be in 3.5.10. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
