TCB(5)TCB(5)NAMEtcb - alternative password shadowing scheme
PROBLEM
With the traditional password shadowing scheme, password hashes and
password aging information of all users is stored in one file,
/etc/shadow. Therefore, if a process requires access to information on
a single user, it is forced to possess privileges which are sufficient
to access data on all users. This is a design flaw, which is most
clearly visible in the case of passwd(1) utility. Let's assume that
unprivileged users are to be allowed to change their own passwords.
Whatever permissions are assigned to /etc/shadow, passwd(1), invoked by
unprivileged user U, must be able to modify the contents of this file.
If malicious user U finds a way to control the passwd(1) process (with
the help of a buffer overflow or another bug in the passwd(1) code, in
the libraries it uses, or in the kernel), the user will be able to
change passwords of all users and thus obtain full control over the
system.
SOLUTION
The solution is straightforward - each user is assigned its own, sepa‐
rate shadow-style file. User U's shadow file is owned by U, so
passwd(1) invoked by U does not require superuser privileges.
The directory where all users' shadow files reside is /etc/tcb:
drwx--x--- 2 root shadow 1024 Jul 4 01:18 /etc/tcb
For each user, there is a directory under /etc/tcb with appropriate
ownership and permissions:
# ls -l /etc/tcb
total 2drwx--s--- 2 root auth 1024 Jul 4 01:18 root
drwx--s--- 2 user auth 1024 Jul 4 01:18 user
and so on. Each of the directories contains a shadow file for just the
appropriate user:
# ls -l /etc/tcb/user
total 1-rw-r----- 1 user auth 91 Jul 4 01:18 shadow
The per-user directories are also used as scratch space for temporary
and lock files which are needed during password change.
ADVANTAGES
This design has the following benefits:
1. passwd(1) needs to be SGID to group shadow only, not SUID to
root. chage(1) and /usr/libexec/chkpwd/tcb_chkpwd are SGID to
group shadow too, which with the tcb scheme means they only pos‐
sess the privilege to access the user's own shadow file entry.
A bug in one of these utilities may at most give a malicious
user direct access to their own shadow file.
2. If a process needs to possess read-only access to all shadow
files, it is sufficient to assign it supplementary groups
"shadow" and "auth".
3. On systems supporting NSS, this scheme is completely transparent
to applications which need read-only access to shadow file
information. The libnss_tcb library implements getspnam(3) and
other related functions with their traditional semantics. Pass‐
word changing is provided by pam_tcb(8), a PAM module.
See the tcb_convert(8) manual page for instructions on how to enable
the tcb scheme seamlessly.
DISADVANTAGES
Honestly, there are a few minor ones:
1. It is impractical to lock all of the shadow database (see
tcb_unconvert(8)).
2. Giving a process read-only access to all shadow files as
described above has the side-effect of also giving it read-write
access to the shadow entry of the (pseudo-)user it is running
as.
3. It is impossible to give a process privileges sufficient for
read-only access to a single shadow file only, without also hav‐
ing it actually run as the user.
4. The user management tools initially required heavy patching to
support the tcb scheme.
WORKAROUNDS FOR FILESYSTEMS LIMITS
In case of ext2fs, the maximum number of hardlinks to a single file is
limited to 32000. Therefore, with this filesystem, there can be at
most 31998 directory entries in /etc/tcb and, with the filesystem lay‐
out described above, at most 31998 users.
The workaround: a tcb directory of user U can be located not only in
/etc/tcb, but also in /etc/tcb/:some/path. In the latter case, there
should be a symlink /etc/tcb/U -> /etc/tcb/:some/path/U.
Starting with tcb 0.9.8, directories which match the shell pattern
/etc/tcb/:* are not treated as per-user directories by tcb libraries.
These directories are reserved to hold symlinked per-user directories,
and for other purposes.
By default, shadow suite utilities create directory entries directly in
/etc/tcb; if one expects more than 31998 users on the system, one can
switch on the symlink creation anytime by editing login.defs(5) config
file.
AUTHORS
The tcb suite was implemented for Openwall GNU/*/Linux by Rafal
Wojtczuk <nergal at owl.openwall.com> and Solar Designer <solar at
owl.openwall.com>. pam_tcb is meant to be backwards-compatible with
pam_unix, therefore some design decisions are cloned from pam_unix.
Also certain less critical code fragments, as well as some of the code
layout, are taken from the Linux-PAM implementation of pam_unix. The
names of contributors to pam_unix can be found under orig_copyright/ in
source distribution of the tcb suite.
SEE ALSOlogin.defs(5), pam_tcb(8), tcb_convert(8)Openwall Project 18 April 2003 TCB(5)
