help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ways to manage passwd/shadow files?


From: Tim Nelson
Subject: RE: Ways to manage passwd/shadow files?
Date: Fri, 11 Mar 2005 10:48:39 +1100 (EST)

On Thu, 10 Mar 2005, Atom Powers wrote:

What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
Ditto.

        LDAP+nsswitch?  :).

I think hash comments *are* allowed in the passwd file, at least in FreeBSD
they are. But there are other issues as well.

        They were on Linux last time I tried it (maybe 3 years ago).

- passwd and shadow (or master.passwd) need to be exactly the same except
that the shadow file has the password hash.
- The shadow file can not be built from the passwd file, but the passwd file
could be built from the shadow file.

Both wrong (at least on Redhat, and probably on others too). passwd has a passwd field that is simply an 'x' on systems that use the shadow stuff (as you implied), but the shadow file is completely different in format. From "man 5 shadow" on my Fedora box, the shadow fields are:
-       Login name
-       Encrypted password
-       Days since Jan 1, 1970 that password was last changed
-       Days before password may be changed
-       Days after which password must be changed
-       Days before password is to expire that user is warned
-       Days after password expires that account is disabled
-       Days since Jan 1, 1970 that account is disabled
-       A reserved field

So as you can see, the only fields it shares with passwd are the login name, and historically, the encrypted password.

- But keeping a shadow file available to cfengine could compromise the
security of the file; the source file or the temporary file made during the
copy.

        My thoughts exactly.

- I don't know that cfengine has the ability to modify the password files
safely. Modifying either password file without using vipw or the like
probably won't update both the passwd and shadow files, which is absolutely
required.

        cat foo >> /etc/passwd
        cat foo >> /etc/shadow

Not that I think it's a good idea, though. I always used a combination of cfengine's shellcommands, and adduser/usermod.

So, if it is possible to ensure the security of the shadow file while
cfengine is running, it should be possible to push out a shadow file and then
run vipw or the link to create the passwd file. How can we guarantee the
security of the shadow file?

Not a good idea. If I had to pick one thing not to overwrite from central, passwd/shadow would be it. cfperl has some user modification commands; you may like this functionality. Alternatively, you could write a method that performs various operations on users, eg. create (if not existing), delete, modify, and the like, and then call them from your other cfengine scripts. If you do that, we'd be interested in seeing them.

        :)

--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne, Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: tim.nelson@webalive.biz
http://www.webalive.biz/

"Your Business, Your Web, Your Control"




reply via email to

[Prev in Thread] Current Thread [Next in Thread]