OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: password file locking
From: Michael Ju. Tokarev (mjttls.msk.ru)
Date: Sat Aug 26 2000 - 19:56:14 CDT


Solar Designer wrote:
>
> Hi,
>
> In recent Linux distributions, we have at least the following
> packages that write to /etc/passwd:
>
> 1. pwdb (provides libpwdb, which is used by pam_pwdb).
> 2. pam_unix (included with Linux-PAM).
> 3. util-linux (provides chsh, chfn).
> 4. shadow-utils (provides useradd and the like).
>
> Only #1 and #4 use compatible locking.
>
> All of these are found on at least RH 6.x. pam_unix isn't used by
> default, but is often recommended on pam-list and apparently is
> going to replace pam_pwdb in RH 7.x.
>
> Solutions?
> 1. Move to a more consistent system. Bonus: consistent man pages.
> 2. Patch util-linux, patch pam_unix.
> 3. Patch util-linux, don't use pam_unix.
> 4. Use the versions of chsh and chfn provided with shadow-utils
> rather than ones provided with util-linux (any particular reason RH
> prefers the util-linux versions?). Don't use pam_unix.
>
> Signed,
> Solar Designer

Ok, looked to source. It seemed to be the best is to use
system-supplied locking mechanism in all cases. One routine
that can be used is lckpwdf (and ulckpwdf to unlock) if it
exists. I don't know where it comes from: in glibc, there is
no documentation on it; on Solaris 2.6, man lckpwdf gives:
 NOTES
   These routines are for internal use only; compatibility
   is not guaranteed.

Shadow-utils uses this pair (or at least should) if it
available (autoconf test). Current pam_unix also can use
it (and only) if USE_LCKPWDF defined.

Well, I see two common locking mechanisms:

  lckpwdf way is creating /etc/.pwd.lock file to lock
  both passwd and shadow

  other way used in shadow-utils (if lckpwdf is not
  available?) and pwdb is to create passwd.lck and
  shadow.lck files

I don't know what of them is a preferred way from
robustness/etc point of view (last seemed to be not
very good but still), but I think that from compatibility
point of view (that original post was about) lckpwdf
way should be the best, since this routine can be implemented
in other systems also but with different methods.
And this way, manual pages will be consistent also,
simple by _not_ mentioning of how locking done, but
giving a link to lckpwdf(3) (to be written for linux).

I looked to lckpwdf implementation in glibc -- it is
pretty cheap (it does not checks for stale lock, but
this is rather ok for this sort of things I think).

So, I think that pam_pwdb and shadow-utils should be
patched instead, and all new code should use
lckpwdf also.

Comments?

Regards,
 Michael.