From: ttobler@unislc.slc.unisys.com (Trent Tobler) Subject: Re: Dangers of password shadowing Date: Fri, 14 May 1993 19:30:24 GMT
Helmut Springer (HELMUT@cip.physik.uni-stuttgart.de) wrote:
: In <1993May13.182744.26002@aston.ac.uk> evansmp@uhura.aston.ac.uk writes:
: > : Now the problem: The normal /etc/passwd file now looks like this:
: > :
: > : username::uid:gid:real name:home:shell
: > :
: > : Programs like passwd, that use the new system call getspnam know
: > : that this means shadowing and look up the password in /etc/shadow.
: > : Old programs, that still use getpwnam, think: "Oh, there is no pass-
: > : word set, so let 'em in !"
: >
: > Which is why it should look something like.
: > username:*:uid:gid:real name:home:shell
: >
: > Which will result in anyone using the old routines being disallowed access.
: right, I had allready changed this....
: But wouldn't it be good to have the call getspwname() look up
: the password in /etc/shadow ? Then all programs using this need not
: to be changed to get the passwd from /etc/shadow and all other
: informations from /etc/passwd (we just ported popper to linux
: and had to do this)...
Then what would be the point of a shadow file? The whole point of the
shadow file is to restrict access to the encoded passwords. I guess
a reasonable compromise would be that you can get the password information
if you are root, or if you have the user id for which you are requesting,
otherwise, you get '*'.