Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060702034722.GA13712@openwall.com>
Date: Sun, 2 Jul 2006 07:47:22 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

I wrote:
> > SimplePAMApps is a package that provides small PAM-only implementations
> > of login, passwd, and su.  It is essentially unmaintained upstream - so
> > we're maintaining it ourselves.  (Maybe we should be making releases of
> > "our" SimplePAMApps separately from Owl.)

On Sat, Jul 01, 2006 at 09:21:10PM -0600, Vincent Danen wrote:
> Yeah, I finally updated my CVS copy of owl and started grepping for
> passwd and found that.  I was fiddling with it a bit before I had to
> take off, and there's some gcc4 cleanup that's needed I think in order
> for passwd to compile properly.

If SimplePAMApps requires any fixes for gcc 4.1+, I'm sure Dmitry
already has those implemented for ALT Linux's distributions.

> But I plan on dropping that in on my test vm and see if that makes a
> difference.  If so, it'll be nice because our passwd is the only thing
> that uses libuser, so if I can drop it, fantastic.  The other stuff I
> see in SimplePAMApps look to already be provided by util-linux, so the
> only thing I'm really interested in is passwd.

The implementations of all three utilities - login, passwd, and su - are
smaller and likely safer than those from util-linux and the shadow suite.

Owl-current on x86:

-rwx------ 1 root root   18604 2006-05-06 03:56 /bin/login
-rwx------ 1 root root   19120 2006-05-06 03:56 /bin/su
-rwx--s--x 1 root shadow  6884 2006-05-06 03:56 /usr/bin/passwd

RHEL3 Update 6 on x86:

-rwxr-xr-x    1 root     root        19868 Sep 14  2005 /bin/login
-rwx------    1 root     root        46156 Jul 22  2005 /bin/su
-r-s--x--x    1 root     root        17700 Jun 25  2004 /usr/bin/passwd

(the perms on /bin/su is a local change).

> I should, now that I'm thinking of it, just try the passwd program from
> the shadow-utils suite too... that might work.

Yes, it might work, but I do not recommend it.

> In fact, openwall was where I got the
> idea of tagging stuff with -avx- or -fdr- or -mdk-, etc.

FWIW, when Red Hat Linux was split into RHEL and Fedora, we continued to
tag patches from Fedora with -rh-.  We did not introduce a -fdr-.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.