Nixpkgs: /etc/shadow should belong to the shadow group

Created on 21 Jul 2020  路  4Comments  路  Source: NixOS/nixpkgs

Describe the bug

Currently, /etc/shadow belongs to the root group. For many use cases, this poses no problems, but when some program needs to use PAM to authenticate on the behalf of multiple users, the program needs to be executed as root (which seems generally unacceptable security-wise). One example is PAM authentication in Nginx, where the NixOS wiki currently recommends running Nginx as root (see discussion here on this).

Expected behavior

I think it's reasonable for /etc/shadow to belong to a group called "shadow" so users can make the decision on letting some programs/users read /etc/shadow. Debian seems to do this as well.

If maintainers agree this is a reasonable thing to do, and if someone can confirm if this change is as simple as adding a group called shadow and adding a line in update-users-group.pl chown-ing /etc/shadow to root:shadow, then I'll create a PR.

Notify maintainers

@edolstra @adisbladis

bug security nixos
Source
picture mt-caret
👍6

All 4 comments

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nginx-pam-access-to-etc-shadow/6218/5

nixos-discourse picture nixos-discourse on 22 Jul 2020

I've tackled this in https://github.com/NixOS/nixpkgs/pull/98676. PTAL.

cole-h picture cole-h on 24 Sep 2020
👍1

Just as a reminder, the 20.09 release is scheduled to happen this monday, the 28th.

If this is still relevant to blocking the release, then there should be some forward movement.

A blocker meeting has still yet to be scheduled. But, if you consider this item to still warrant blocking the entirety of the nixos-20.09 release, the please do so on the Feature freeze discussion issue. A template for proposing an item can be found https://github.com/NixOS/nixpkgs/issues/95475#issuecomment-699218336

jonringer picture jonringer on 26 Sep 2020

@jonringer As soon as the above PR is merged (https://github.com/NixOS/nixpkgs/pull/98676), it can be backported to 20.09, and this issue won't be blocking 20.09 anymore.

cole-h picture cole-h on 26 Sep 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

teto picture teto  路  3Comments
grahamc picture grahamc  路  3Comments
ghost picture ghost  路  3Comments
rzetterberg picture rzetterberg  路  3Comments
edolstra picture edolstra  路  3Comments