Re: Linux-Mandrake Xlockmore security update

[flaps () DGP TORONTO EDU (Alan J Rosenthal)]

> Of course, in order to perform the password-check xlock must be setuid root
> and have access to the shadowed passwd file.

Well, no.  It needs read access to the shadow password file, and that's it,
and it doesn't need to be setuid root.

If you create a special "shadow gid" for use only by programs which need only
read access to /etc/shadow, and put /etc/shadow in group shadow (still owned
by root) and make it mode 640, then you can make programs such as xlock(more)
setgid shadow and thus give them no other additional ability than to read
/etc/shadow.

We might not want to get into hundreds of specialized groups for special
abilities to be granted to individual programs (although some would surely
argue that we should), but I think that anything big, which includes anything
which is an X client because the X libraries are big, should not be setuid
root if at all possible.

Some capabilities are equivalent to root.  "passwd" only needs to be able to
read *and*write* /etc/shadow, but there's no sense in using a special group
for this because the ability to write to /etc/shadow is equivalent to root.

But the ability to *read* /etc/shadow is far short of compromising root (it's
simply the situation everyone was in before shadowed passwords came about),
and worth distinguishing from setuid root, especially for X clients.

ajr