Bug 43706 - pam_unix does not preserve file permissions
pam_unix does not preserve file permissions
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-06 14:20 EDT by Joseph Dunn
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-06-06 14:20:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Joseph Dunn 2001-06-06 14:20:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)

Description of problem:
When a user changes their password with the passwd utility as shipped with 
RedHat 7.0 the permissions on /etc/shadow are reset to be owned by root, 
group root, and mode 0600 rather than preserving the permissions of the 
old shadow file.  The permissions are actually changed by the pam_unix 
module which is called via the /etc/pam.d/passwd which uses service=system-
auth which contains the line:

password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow

Looking at the code for pam_unix.so, specifically the source file 
pam_unix_passwd.c, clearly the permissions for the updated /etc/passwd 
and /etc/shadow files are hardcoded.  Simply replacing the hardcoded 
values with information taken from stats of the existing files should fix 
the problem.


How reproducible:
Always

Steps to Reproduce:
1.Change default permissions on /etc/shadow from the default 0600 to 0640
2.successfully change any user password using passwd
3.check the permissions on /etc/shadow, they will be reset to the default


Additional info:
Comment 1 Nalin Dahyabhai 2001-08-30 22:39:30 EDT
This should be fixed in 0.75-10 and later.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.