From: Kevin Burtch (kburtch+sunm@gmail.com)
Date: Fri Sep 29 2006 - 10:21:11 EDT
I'm trying to find a way to add a persistent FACL to /etc/shadow.
Unfortunately, when anyone uses the passwd command the file doesn't
get updated - it gets _replaced_, gaining a new inode with new
(default) permissions.
I tried creating /etc/stmp with the appropriate FACL, and it does get
inherited when it is renamed to /etc/shadow (I've been digging through
truss output from the passwd command), but since stmp also gets
unlinked afterwards, this only works once (so after 2 password
changes, the FACL is lost).
This gets around the need for a duplicate root account (or using root
itself) - so this actually increases security over a proposed
configuration.
Alternatively, is there another way (via RBAC maybe?) to allow a
_single_ user to read the shadow file?
I'd rather not have to put a modified passwd command on the systems.
BTW: This has been tested in Solaris 9 & 10.
Thank you very much,
Kevin
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:40:54 EDT