/usr/bin/chage is suid root.
It runs fine "sgid shadow", proving /etc/shadow is group
shadow and group readable.
Principle of least privilege is violated.
It is a fairly trivial enhancement. It could be implemented
along with making /sbin/pwdb_chkpwd "sgid shadow" too. Two
less suid root binaries, can't be bad can it?
That means that the /etc directory will have to be writeable by the
shadow group, because that's wehere the lcok files are created. Making
the whole /etc writeable for the shadow group is not a small price to
pay for this :-(
Why would the shadow group need locking? Certainly many of the shadow
utilities don't use locks, including chage as far as I can tell. pwdb_pwchck
also appears not to use locks, so this should actualy be pretty painless.
I think that this is somting thats actualy worth implementing, as RedHat has
been getting better re set-uid utilites, this would nail another couple.