Bugtraq mailing list archives
Re: Linux-Mandrake Xlockmore security update
From: flaps () DGP TORONTO EDU (Alan J Rosenthal)
Date: Mon, 5 Jun 2000 10:39:14 -0400
Of course, in order to perform the password-check xlock must be setuid root and have access to the shadowed passwd file.
Well, no. It needs read access to the shadow password file, and that's it, and it doesn't need to be setuid root. If you create a special "shadow gid" for use only by programs which need only read access to /etc/shadow, and put /etc/shadow in group shadow (still owned by root) and make it mode 640, then you can make programs such as xlock(more) setgid shadow and thus give them no other additional ability than to read /etc/shadow. We might not want to get into hundreds of specialized groups for special abilities to be granted to individual programs (although some would surely argue that we should), but I think that anything big, which includes anything which is an X client because the X libraries are big, should not be setuid root if at all possible. Some capabilities are equivalent to root. "passwd" only needs to be able to read *and*write* /etc/shadow, but there's no sense in using a special group for this because the ability to write to /etc/shadow is equivalent to root. But the ability to *read* /etc/shadow is far short of compromising root (it's simply the situation everyone was in before shadowed passwords came about), and worth distinguishing from setuid root, especially for X clients. ajr
Current thread:
- Re: Linux-Mandrake Xlockmore security update Alan J Rosenthal (Jun 05)