Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: world-readable shadow backups in SuSe 5.2

Re: world-readable shadow backups in SuSe 5.2

Roman Drahtmueller (draht2RZLIN1.RUF.UNI-FREIBURG.DE)
Thu, 12 Nov 1998 22:40:14 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marcelo Tosatti: "Bootpd 2.4.3 tmp race"
Previous message: Solar Designer: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
In reply to: Erik: "Re: world-readable shadow backups in SuSe 5.2"
Next in thread: xnec: "Re: world-readable shadow backups in SuSe 5.2"

On Wed, 11 Nov 1998, Erik <netmask303.ORG> wrote:
[...]
> On a slackware 3.5 machine, with no backups... changing users password..
> leaves
>
> -rw-------   1 root     root          560 Nov 11 09:53 shadow-
>
> chmod 600. So I would say its a suse linux problem.

Not having /etc/shadow mode 640 (root.shadow) requires you to suid
root xlock and all the kde screen lockers. With SuSE, 2755
(root.shadow) on xlock and *.kss is enough. So it may _not_ be a SuSE
problem...

Remember that every time a configuration change in the system is being
done with yast (yet another setup tool, specific to SuSE),
/sbin/SuSEconfig is being run. This script launches "/usr/bin/chkstat
-set /etc/permissions"  (plus /etc/permissions{.easy,.local}), where
/etc/permissions describes /etc/shadow as root.shadow, mode 640.

Whenever you change a password or add a user, /etc/shadow- is being
set to the same permissions as /etc/shadow by /usr/bin/password or
/usr/sbin/useradd. If you add users with vi, you must know what you're
doing.

Also keep in mind that yast (and therefore SuSEconfig + chkstat) are
being run at first bootup after setting the root-password. Means:
nobody except root can read /etc/shadow since root is the only user in
the system who has a password. If /etc/shadow- is 644 at this stage,
it just doesn't matter, because the next useradd will clean it up.
It's not beautiful, and it may be considered a bug, but for sure it's
not worth bothering/posting/the time.

rgds,
Roman.
 _                                                                   _
| Roman Drahtmller              "The whole world is about three       |
  CC University of Freiburg       drinks behind."
| email: drahtuni-freiburg.de         (Humphrey Bogart)              |
 -                                                                   -

Next message: Marcelo Tosatti: "Bootpd 2.4.3 tmp race"
Previous message: Solar Designer: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
In reply to: Erik: "Re: world-readable shadow backups in SuSe 5.2"
Next in thread: xnec: "Re: world-readable shadow backups in SuSe 5.2"