Section: File Formats (5)
Updated: 18 April 2003
- alternative password shadowing scheme
With the traditional password shadowing scheme, password hashes and
password aging information of all users is stored in one file,
Therefore, if a process requires access to information on a single
user, it is forced to possess privileges which are sufficient to
access data on all users. This is a design flaw, which is most
clearly visible in the case of
utility. Let's assume that unprivileged users are to be allowed to
change their own passwords. Whatever permissions are assigned to
invoked by unprivileged user U, must be able to modify the contents of
this file. If malicious user U finds a way to control the
process (with the help of a buffer overflow or another bug in the
code, in the libraries it uses, or in the kernel), the user will be
able to change passwords of all users and thus obtain full control
over the system.
The solution is straightforward - each user is assigned its own,
separate shadow-style file. User U's shadow file is owned by U, so
invoked by U does not require superuser privileges.
The directory where all users' shadow files reside is
drwx--x--- 2 root shadow 1024 Jul 4 01:18 /etc/tcb
For each user, there is a directory under
with appropriate ownership and permissions:
# ls -l /etc/tcb
drwx--s--- 2 root auth 1024 Jul 4 01:18 root
drwx--s--- 2 user auth 1024 Jul 4 01:18 user
and so on.
Each of the directories contains a shadow file for just the
# ls -l /etc/tcb/user
-rw-r----- 1 user auth 91 Jul 4 01:18 shadow
The per-user directories are also used as scratch space for temporary
and lock files which are needed during password change.
This design has the following benefits:
needs to be SGID to group shadow only, not SUID to root.
are SGID to group shadow too, which with the tcb scheme means they only
possess the privilege to access the user's own shadow file entry.
A bug in one of these utilities may at most give a malicious user
direct access to their own shadow file.
If a process needs to possess read-only access to all shadow files, it
is sufficient to assign it supplementary groups "shadow" and "auth".
On systems supporting NSS, this scheme is completely transparent to
applications which need read-only access to shadow file information.
The libnss_tcb library implements
and other related functions with their traditional semantics.
Password changing is provided by
a PAM module.
manual page for instructions on how to enable the tcb scheme
Honestly, there are a few minor ones:
It is impractical to lock all of the shadow database (see
Giving a process read-only access to all shadow files as described
above has the side-effect of also giving it read-write access to the
shadow entry of the (pseudo-)user it is running as.
It is impossible to give a process privileges sufficient for read-only
access to a single shadow file only, without also having it actually
run as the user.
The user management tools initially required heavy patching to support
the tcb scheme.
WORKAROUNDS FOR FILESYSTEMS LIMITS
In case of ext2fs, the maximum number of hardlinks to a single file is
limited to 32000. Therefore, with this filesystem, there can be at most
31998 directory entries in
and, with the filesystem layout described above, at most 31998 users.
The workaround: a tcb directory of user U can be located not only in
but also in
In the latter case, there should be a symlink
/etc/tcb/U -> /etc/tcb/:some/path/U.
Starting with tcb 0.9.8, directories which match the shell pattern
are not treated as per-user directories by tcb libraries. These directories
are reserved to hold symlinked per-user directories, and for other purposes.
By default, shadow suite utilities create directory entries directly in
if one expects more than 31998 users on the system, one can switch on the
symlink creation anytime by editing
The tcb suite was implemented for Openwall GNU/*/Linux by Rafal Wojtczuk
<nergal at owl.openwall.com> and Solar Designer <solar at owl.openwall.com>.
is meant to be backwards-compatible with
therefore some design decisions are cloned from
Also certain less critical code fragments, as well as some of the code
layout, are taken from the Linux-PAM implementation of
The names of contributors to
can be found under orig_copyright/ in source distribution of the tcb suite.