Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060702044735.GR1128@annvix.org>
Date: Sat, 1 Jul 2006 22:47:35 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

* Solar Designer <solar@...nwall.com> [2006-07-02 07:47:22 +0400]:

> > > SimplePAMApps is a package that provides small PAM-only implementations
> > > of login, passwd, and su.  It is essentially unmaintained upstream - so
> > > we're maintaining it ourselves.  (Maybe we should be making releases of
> > > "our" SimplePAMApps separately from Owl.)
> 
> On Sat, Jul 01, 2006 at 09:21:10PM -0600, Vincent Danen wrote:
> > Yeah, I finally updated my CVS copy of owl and started grepping for
> > passwd and found that.  I was fiddling with it a bit before I had to
> > take off, and there's some gcc4 cleanup that's needed I think in order
> > for passwd to compile properly.
> 
> If SimplePAMApps requires any fixes for gcc 4.1+, I'm sure Dmitry
> already has those implemented for ALT Linux's distributions.

Poking around the ALT site now to see if I can find something.

> > But I plan on dropping that in on my test vm and see if that makes a
> > difference.  If so, it'll be nice because our passwd is the only thing
> > that uses libuser, so if I can drop it, fantastic.  The other stuff I
> > see in SimplePAMApps look to already be provided by util-linux, so the
> > only thing I'm really interested in is passwd.
> 
> The implementations of all three utilities - login, passwd, and su - are
> smaller and likely safer than those from util-linux and the shadow suite.
> 
> Owl-current on x86:
> 
> -rwx------ 1 root root   18604 2006-05-06 03:56 /bin/login
> -rwx------ 1 root root   19120 2006-05-06 03:56 /bin/su
> -rwx--s--x 1 root shadow  6884 2006-05-06 03:56 /usr/bin/passwd
> 
> RHEL3 Update 6 on x86:
> 
> -rwxr-xr-x    1 root     root        19868 Sep 14  2005 /bin/login
> -rwx------    1 root     root        46156 Jul 22  2005 /bin/su
> -r-s--x--x    1 root     root        17700 Jun 25  2004 /usr/bin/passwd
> 
> (the perms on /bin/su is a local change).

Ahhh... ok, I'll give those a go then as soon as I grab this SRPM I'm
seeing on the ALT FTP site.

> > I should, now that I'm thinking of it, just try the passwd program from
> > the shadow-utils suite too... that might work.
> 
> Yes, it might work, but I do not recommend it.

I kinda wanted to rule out the passwd program I currently have first
before building new packages and specs, just to be sure that it is what
I'm suspecting instead of, say, a problem with the forward-port.

> > In fact, openwall was where I got the
> > idea of tagging stuff with -avx- or -fdr- or -mdk-, etc.
> 
> FWIW, when Red Hat Linux was split into RHEL and Fedora, we continued to
> tag patches from Fedora with -rh-.  We did not introduce a -fdr-.

I typically note them from what distro they come from.  I suppose it
doesn't much matter since it usually serves as just a general reference
to indicate where it came from.

-- 
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
:: Annvix - Secure Linux Server: http://annvix.org/ ::

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.