chmod 640 /var/lib/misc/shadow.db about nsscache HOT 4 CLOSED

Comment #1 originally posted by jaqx0r on 2013-09-16T12:35:41.000Z:

Should be safe before any data is written, and it probably should be created with the same permissions and ownership as /etc/shadow and /etc/shadow.cache.

Err, from memory: nsscache no longer makes .db files by default ???

from nsscache.

Comment #2 originally posted by jaqx0r on 2013-09-19T13:53:10.000Z:

I've had a bit of a look.

nsscache should be setting the .db to the same permissions as the original file, using shutil.copymode(). If that fails, it sets it to 644.

makedb, the process that makes shadow.db does not write to stdout, so it doesn't follow normal mkstemp() processes. It does, however, honour umask.

The attached patch should give you a file that's 0000 or 0400 after running. Can you try it?

If it does NOT work, can you possibly try shutil.copymode() in a python process? Does it exist in your version of python?

from nsscache.

Comment #3 originally posted by jaqx0r on 2013-09-21T20:10:02.000Z:

I found what seems to be the root cause of the problem: the call to GetCompatFilename returns "/var/lib/misc/shadow" (my nsscache.conf has "nssdb_dir = /var/lib/misc" in it), so copymode fails.

What did work for me is:

--- caches.py.orig 2013-09-21 22:05:39.073824061 +0200
+++ caches.py 2013-09-21 22:06:32.417825015 +0200
@@ -169,7 +169,7 @@

def GetCompatFilename(self):
"""Return the filename where the normal (not-cache) map would be."""

• return os.path.join(self.output_dir, self.map_name)
• return os.path.join('/etc', self.map_name)

def GetMapLocation(self):
"""Return the location of the Map in this cache.

from nsscache.

Comment #4 originally posted by jaqx0r on 2013-10-01T10:21:08.000Z:

This issue was closed by revision b1e9f6ed3a06.

from nsscache.