Issue 29 in nsscache: chmod 640 /var/lib/misc/shadow.db

[nssc...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 29 by jmart...@ies1libertas.es: chmod 640 /var/lib/misc/shadow.db
http://code.google.com/p/nsscache/issues/detail?id=29

What steps will reproduce the problem?

1. # nsscache update
2. # ls -l /var/lib/misc/shadow.db

What is the expected output? What do you see instead?

Shouldn't shadow.db be chmodded 0640 after nsscache update? A simple '$
strings /var/lib/misc/shadow.db' reveals (crypt'ed) passwords.

What version of the product are you using? On what operating system?

mint 15 (olivia) xfce, nsscache version 0.21.19-1


--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[nssc...@googlecode.com]

Comment #1 on issue 29 by berend.d...@gmail.com: chmod 640
/var/lib/misc/shadow.db
http://code.google.com/p/nsscache/issues/detail?id=29

Should be safe before any data is written, and it probably should be
created with the same permissions and ownership as /etc/shadow and
/etc/shadow.cache.

Err, from memory: nsscache no longer makes .db files by default ???

[nssc...@googlecode.com]

Comment #2 on issue 29 by berend.d...@gmail.com: chmod 640
/var/lib/misc/shadow.db
http://code.google.com/p/nsscache/issues/detail?id=29

I've had a bit of a look.

nsscache should be setting the .db to the same permissions as the original
file, using shutil.copymode(). If that fails, it sets it to 644.

makedb, the process that makes shadow.db does not write to stdout, so it
doesn't follow normal mkstemp() processes. It does, however, honour umask.

The attached patch should give you a file that's 0000 or 0400 after
running. Can you try it?

If it does NOT work, can you possibly try shutil.copymode() in a python
process? Does it exist in your version of python?

Attachments:
umask.patch 730 bytes

[nssc...@googlecode.com]

Comment #3 on issue 29 by jmart...@ies1libertas.es: chmod 640
/var/lib/misc/shadow.db
http://code.google.com/p/nsscache/issues/detail?id=29

I found what seems to be the root cause of the problem: the call to
GetCompatFilename returns "/var/lib/misc/shadow" (my nsscache.conf
has "nssdb_dir = /var/lib/misc" in it), so copymode fails.

What did work for me is:

--- caches.py.orig 2013-09-21 22:05:39.073824061 +0200
+++ caches.py 2013-09-21 22:06:32.417825015 +0200
@@ -169,7 +169,7 @@

def GetCompatFilename(self):
"""Return the filename where the normal (not-cache) map would be."""
- return os.path.join(self.output_dir, self.map_name)
+ return os.path.join('/etc', self.map_name)

def GetMapLocation(self):
"""Return the location of the Map in this cache.

[nssc...@googlecode.com]

Updates:
Status: Fixed

Comment #4 on issue 29 by j...@spacepants.org: chmod 640
/var/lib/misc/shadow.db
http://code.google.com/p/nsscache/issues/detail?id=29

This issue was closed by revision b1e9f6ed3a06.