Persistent FACL for /etc/shadow possible?
- From: "Kevin Burtch" <kburtch+sunm@xxxxxxxxx>
- Date: Fri, 29 Sep 2006 10:21:11 -0400
I'm trying to find a way to add a persistent FACL to /etc/shadow.
Unfortunately, when anyone uses the passwd command the file doesn't
get updated - it gets _replaced_, gaining a new inode with new
(default) permissions.
I tried creating /etc/stmp with the appropriate FACL, and it does get
inherited when it is renamed to /etc/shadow (I've been digging through
truss output from the passwd command), but since stmp also gets
unlinked afterwards, this only works once (so after 2 password
changes, the FACL is lost).
This gets around the need for a duplicate root account (or using root
itself) - so this actually increases security over a proposed
configuration.
Alternatively, is there another way (via RBAC maybe?) to allow a
_single_ user to read the shadow file?
I'd rather not have to put a modified passwd command on the systems.
BTW: This has been tested in Solaris 9 & 10.
Thank you very much,
Kevin
_______________________________________________
sunmanagers mailing list
sunmanagers@xxxxxxxxxxxxxxx
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
- Prev by Date: ftp server configuration in solaris 10
- Next by Date: OFFTOPIC:VTL Options
- Previous by thread: ftp server configuration in solaris 10
- Next by thread: OFFTOPIC:VTL Options
- Index(es):
