fedora-atomic discussion point: /usr/lib/passwd

Simo Sorce simo at redhat.com
Mon Apr 28 17:39:39 UTC 2014

On Mon, 2014-04-28 at 17:15 +0000, Colin Walters wrote:
> On Mon, Apr 28, 2014 at 12:45 PM, Tomasz Torcz <tomek at pipebreaker.pl> 
> wrote:
> > 
> >   Risking being totally offtopic, but would TCB solve all most of 
> > this issues?
> > www.openwall.com/tcb/  or 
> > http://www.openwall.com/presentations/Owl/mgp00020.html
> It helps a little, but the problem here is not exactly about the 
> underlying data format, but more about the merge/upgrade logic, which 
> TCB by itself doesn't quite solve.
> We would still need logic somewhere (likely ostree), like today how it 
> lives in RPM %post scripts to check whether users exist, and if not 
> create them.  The binding between that logic and how the files get 
> created on disk is the hard problem.
> Also I originally thought TCB was a good idea, but I got less excited 
> about it when I realized they'd just shifted setuid binaries to setgid. 
>  To me it'd be far more valuable to go the whole way and have 
> authentication/passwd talk to a system service.  Then you could even 
> implement stuff like rate limiting sanely.

We can do that with SSSD, which we are planning to take over all users
(though it will leave /etc/passwd on the system for emergency repair and
backward compatibility).


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list