Re: [owl-users] tcb and friends with shadow-utils 4.0.12

From: Solar Designer (solar@private)
Date: Sat Jul 01 2006 - 20:47:22 PDT


I wrote:
> > SimplePAMApps is a package that provides small PAM-only implementations
> > of login, passwd, and su.  It is essentially unmaintained upstream - so
> > we're maintaining it ourselves.  (Maybe we should be making releases of
> > "our" SimplePAMApps separately from Owl.)

On Sat, Jul 01, 2006 at 09:21:10PM -0600, Vincent Danen wrote:
> Yeah, I finally updated my CVS copy of owl and started grepping for
> passwd and found that.  I was fiddling with it a bit before I had to
> take off, and there's some gcc4 cleanup that's needed I think in order
> for passwd to compile properly.

If SimplePAMApps requires any fixes for gcc 4.1+, I'm sure Dmitry
already has those implemented for ALT Linux's distributions.

> But I plan on dropping that in on my test vm and see if that makes a
> difference.  If so, it'll be nice because our passwd is the only thing
> that uses libuser, so if I can drop it, fantastic.  The other stuff I
> see in SimplePAMApps look to already be provided by util-linux, so the
> only thing I'm really interested in is passwd.

The implementations of all three utilities - login, passwd, and su - are
smaller and likely safer than those from util-linux and the shadow suite.

Owl-current on x86:

-rwx------ 1 root root   18604 2006-05-06 03:56 /bin/login
-rwx------ 1 root root   19120 2006-05-06 03:56 /bin/su
-rwx--s--x 1 root shadow  6884 2006-05-06 03:56 /usr/bin/passwd

RHEL3 Update 6 on x86:

-rwxr-xr-x    1 root     root        19868 Sep 14  2005 /bin/login
-rwx------    1 root     root        46156 Jul 22  2005 /bin/su
-r-s--x--x    1 root     root        17700 Jun 25  2004 /usr/bin/passwd

(the perms on /bin/su is a local change).

> I should, now that I'm thinking of it, just try the passwd program from
> the shadow-utils suite too... that might work.

Yes, it might work, but I do not recommend it.

> In fact, openwall was where I got the
> idea of tagging stuff with -avx- or -fdr- or -mdk-, etc.

FWIW, when Red Hat Linux was split into RHEL and Fedora, we continued to
tag patches from Fedora with -rh-.  We did not introduce a -fdr-.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments



This archive was generated by hypermail 2.1.3 : Sat Jul 01 2006 - 20:49:13 PDT