Subject: group for access to the password database
To: None <tech-security@netbsd.org>
From: Matthias Scheler <tron@zhadum.de>
List: tech-security
Date: 07/10/2000 08:26:59
  by mail.netbsd.org with SMTP; 10 Jul 2000 08:27:02 -0000
	for tech-security@netbsd.org; Mon, 10 Jul 2000 10:26:59 +0200 (CEST)
To: tech-security@netbsd.org
Path: not-for-mail
From: tron@zhadum.de (Matthias Scheler)
Newsgroups: netbsd.tech.security
Subject: group for access to the password database
Date: 10 Jul 2000 08:26:59 GMT
Organization: The Source Of All Evil
Lines: 18
Message-ID: <8kc1cj$97t$1@colwyn.zhadum.de>
NNTP-Posting-Host: lyssa.zhadum.de
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
NNTP-Posting-Date: 10 Jul 2000 08:26:59 GMT

	Hello,

at the moment "/etc/master.passwd" can be read by "root" only:

tron@lyssa:~>ls -l /etc/master.passwd 
-rw-------  1 root  wheel  5821 Jul 10 09:16 /etc/master.passwd

This makes it necessary to install e.g. X11 screenlockers like "xlock"
or "xlock" setuid "root". I wonder if it would make sense to invent
a group "passwd" which can read but not write "/etc/master.passwd".
Screenlockers would only have to be setgid "passwd" afterwards which
would of course reduce the risk of security problems caused by
such programs.

	Kind regards

-- 
Matthias Scheler                            http://www.sighardstrasse.de/~tron/