bin/96248: vipw fail on RO /etc
Alex Kozlov
spam at rm-rf.kiev.ua
Mon Apr 24 11:50:21 UTC 2006
The following reply was made to PR bin/96248; it has been noted by GNATS.
From: Alex Kozlov <spam at rm-rf.kiev.ua>
To: Maxim Konovalov <maxim at macomnet.ru>
Cc: bug-followup at freebsd.org
Subject: Re: bin/96248: vipw fail on RO /etc
Date: Mon, 24 Apr 2006 14:39:53 +0300
On Mon, Apr 24, 2006 at 12:24:29PM +0400, Maxim Konovalov wrote:
> On Mon, 24 Apr 2006, 11:07+0300, Alex Kozlov wrote:
>
> > On Mon, Apr 24, 2006 at 11:17:08AM +0400, Maxim Konovalov wrote:
> > > [...]
> > > > if rootfs mount as read-only, vipw fall to execute witch vipw:
> > > > pw_tmp(): Read-only file system error.
> > > > >How-To-Repeat:
> > > > #mount |grep -w /
> > > > /dev/da0s1 on / (ufs, local, read-only)
> > > >
> > > > #vipw
> > > > vipw: pw_tmp(): Read-only file system
> > > > >Fix:
> > > > Change temporary file patch in pw_tmp() from
> > > >
> > > > if (snprintf(tempname, sizeof(tempname), "%.*spw.XXXXXX",
> > > > (int)(p - masterpasswd), masterpasswd) >= (int)sizeof(tempname)) {
> > > >
> > > > to more appropriate?
> > >
> > > And what is more appropriate?
> > Quite good solution may be to add fallback mechanism in case if masterpasswd
> > directory not writable.
> >
> > There are any (security?) reasons, which to prevent the storing of
> > pw_tmp file in /tmp ?
>
>Perhaps they are, I don't know. I don't think changing passwd temp
>files location is a good idea.
In case of /tmp? Perhaps. Just to be on safe side, choose directory
writable only for root. Say, /var/run.
Sudo already use /var/run/sudo.
Any security advantages /etc in comparison with /var/run ?
Both have equal permissions.
If crash happens, /var/run/pw.XXXXXX will be cleaned on next startup,
/etc/pw.XXXXX and especially /path/to/unknown/pw.XXXXXX - never.
Rice working on /var/run but not on /etc ? Hmm.
>What is the problem you are trying to solve?
You probably suggest do something like:
sudo less /etc/master.passwd
sudo mount -uw /
sudo vipw
?
One more line for sudoers. One more time type password.
Perhaps.
--
Adios
More information about the freebsd-bugs
mailing list