tech-security: Re: replacement for /etc/passwd

Subject: Re: replacement for /etc/passwd
To: None <tech-security@netbsd.org>
From: Alan Post <apost@interwoven.com>
List: tech-security
Date: 12/11/2002 15:26:33

> * Charles Blundell (cb@kittenz.org) [021210 16:38]:
>> 
(with a setgid "auth" passwd(1))
>>
>> consider this heirachy:
>> 
>> /etc/userdb		root:auth	rwxr-x---
>> /etc/userdb/user	root:wheel	rwxr-xr-x
>> /etc/userdb/user/uid	root:wheel	rw-r--r--
>> ...
>> /etc/userdb/user/pwhash	user:wheel	rw-------
>> 
>> so to change their password, the user must gain both their uid and the
>> group auth. group auth has no rights other than read and scan for
>> the top level directory.

How about the following modification, that would allow world read
access to the username<->uid mappings?

/etc/userdb                      root:wheel  drwxr-xr-x
/etc/userdb/user                 root:wheel  drwxr-xr-x
/etc/userdb/user/uid             root:wheel  -rw-r--r--
/etc/userdb/user/private         root:auth   drwxr-x---
/etc/userdb/user/private/pwhash  user:wheel  -rw-------


  Alan