Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 13 Oct 2021 09:56:10 -0400
From: Rich Felker <dalias@...c.org>
To: "A. Wilcox" <awilfox@...lielinux.org>
Cc: musl@...ts.openwall.com
Subject: Re: get/set*ent functions and real world applications

On Wed, Oct 13, 2021 at 01:16:30AM -0500, A. Wilcox wrote:
> On Oct 11, 2021, at 12:41 PM, Érico Nogueira <ericonr@...root.org> wrote:
> > 
> > Things in /etc
> > can, theoretically, only be written to by root or at least trusted
> > users, so treating as entirely untrusted seems a bit over the top...
> 
> My understanding is that tcb exists explicitly to make these files
> modifiable by non-root users, to make the shadow tools unprivileged.
> 
> I don't recall if GECOS or group fields are included in tcb, or if
> it is only the password itself. If the other fields are included,
> this is a much more important bug than otherwise.

Users necessarily can't change their group memberships. They can't
change anything in passwd db at all, only shadow, and only for
themselves, and only if permissions are set so as to allow that.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.