Date: Mon, 21 Mar 2005 07:33:25 -0500 (EST) From: c0ldbyte <c0ldbyte@myrealbox.com> To: "H. S." <security@revolutionsp.com> Cc: freebsd-hackers@freebsd.org Subject: Re: passwd & permissions Message-ID: <20050321072417.T40399@eleanor.us1.wmi.uvac.net> In-Reply-To: <49296.81.84.174.5.1111346817.squirrel@mail.revolutionsp.com> References: <49296.81.84.174.5.1111346817.squirrel@mail.revolutionsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 20 Mar 2005, H. S. wrote:
> Hey,
>
> I'm using FreeBSD on various servers for many time now, and there is
> something that always bothered me. It is related to /etc/passwd and
> /etc/pwd.db permissions.
>
> I have custom (0640) permissions on these files. However, each time a user
> changes his/her password, the system will reset the password file
> permissions back to the original (rw r r). I'm not much of a programmer,
> but I tried to change passwd.c source to do a execl() at the end of the
> file (calling chmod). After trying it, the permissions were reset anyway,
> so I added a perror("execl") and it says permission denied. Should be
> because passwd dropped privileges at that part of the program. I've
> thought about a cron job to fix the permissions every X minutes, but I'd
> like a more "clean" option to this.
>
> Where in the system can I change the permission-reset behaviour ? This
> also happens, for example, with /usr/local/sbin/ (rwx rx x are my
> permissions) after I upgrade any port, it will be rwx rx rx , and
> /usr/local/www too.
>
> I've edited the mtree/ files as it sounded like a good lead, but the
> behaviour remains.
>
> What should I do ?
>
> Thanks.
About the easiest way to go about it would be to set the umask for passwd
command well in operation. your umask right now is probably 022 which is
causing passwd when updating those files to rewrite a new file with 022
0644 perms. set your umask to something like 026 and that should give
files created during the time of execution the 0640 perms. modifing the
code for passwd.c is sensless since everytime you update your source to
upgrade your changes will be over ridden. --- Try the following ---
sh & compatable.
alias passwd='umask 026 && passwd ;umask 022'
csh & compatable.
alias passwd umask 026 && passwd ;umask 022
Guess if your pretty good with shell scripts you could also make a wrapper
around passwd and put it in root's private bin.
Best regards:
--c0ldbyte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF7DF979F
iD8DBQFCPr8YsmFQuvffl58RAu7jAKCWQmJ7tE0OLNzJHS/AdX7rkx/OZQCbBZNx
FBo3Ho4htZk/LRMzWIhI+6E=
=crQG
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050321072417.T40399>