From: russell@coker.com.au (Russell Coker) Date: Thu, 25 Sep 2008 17:12:07 +1000 Subject: [refpolicy] useradd/passwd patch In-Reply-To: <48DAB33E.3030209@kutulu.org> References: <48DAB33E.3030209@kutulu.org> Message-ID: <200809251712.08588.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thursday 25 September 2008 07:38, Mike Edenfield wrote: > Allows passwd and useradd to execute unix_chkpwd (and related binaries) > to read and update user passwords. Why would passwd and useradd ever need to do that? unix_chkpwd is only ever called if the shadow file can't be read directly. passwd needs direct read access and while it might be possible to write a useradd that doesn't need read access (if based on the assumption that /etc/shadow would never be in any way corrupt or out of sync with /etc/paasswd), realistically it will always need such access. -- russell at coker.com.au http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development