From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=HTML_MESSAGE,
	MAILING_LIST_MULTI,MIME_QP_LONG_LINE,RCVD_IN_DNSWL_MED,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no
	version=3.4.4
Received: (qmail 11986 invoked from network); 13 Oct 2021 06:16:49 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 13 Oct 2021 06:16:49 -0000
Received: (qmail 18052 invoked by uid 550); 13 Oct 2021 06:16:47 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 18018 invoked from network); 13 Oct 2021 06:16:46 -0000
Content-Type: multipart/alternative; boundary=Apple-Mail-B67D787A-F57B-4B8F-9B74-96723FF07A9B
Content-Transfer-Encoding: 7bit
From: "A. Wilcox" <awilfox@adelielinux.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 13 Oct 2021 01:16:30 -0500
Message-Id: <F7E8D2A4-7449-4843-9D92-22FDA05C6154@adelielinux.org>
References: <CEWQZO4LY0K5.2GJHC7OUQFVW9@mussels>
In-Reply-To: <CEWQZO4LY0K5.2GJHC7OUQFVW9@mussels>
To: musl@lists.openwall.com
X-Mailer: iPhone Mail (18G82)
Subject: Re: [musl] get/set*ent functions and real world applications


--Apple-Mail-B67D787A-F57B-4B8F-9B74-96723FF07A9B
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Oct 11, 2021, at 12:41 PM, =C3=89rico Nogueira <ericonr@disroot.org> wrot=
e:
>=20
> Things in /etc
> can, theoretically, only be written to by root or at least trusted
> users, so treating as entirely untrusted seems a bit over the top...

My understanding is that tcb exists explicitly to make these files modifiabl=
e by non-root users, to make the shadow tools unprivileged.

I don't recall if GECOS or group fields are included in tcb, or if it is onl=
y the password itself.  If the other fields are included, this is a much mor=
e important bug than otherwise.

Best,
-arw
--
A. Wilcox (Sent from my iPhone)
Mac, iOS, Linux software engineer


--Apple-Mail-B67D787A-F57B-4B8F-9B74-96723FF07A9B
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto">On Oct 11, 2021, at 12:41 PM, =C3=89rico No=
gueira &lt;ericonr@disroot.org&gt; wrote:<br><div dir=3D"ltr"><blockquote ty=
pe=3D"cite"><br></blockquote></div><blockquote type=3D"cite"><div dir=3D"ltr=
"><span>Things in /etc</span><br><span>can, theoretically, only be written t=
o by root or at least trusted</span><br><span>users, so treating as entirely=
 untrusted seems a bit over the top...</span></div></blockquote><br><div>My u=
nderstanding is that tcb exists explicitly to make these files modifiable by=
 non-root users, to make the shadow tools unprivileged.</div><div><br></div>=
<div>I don't recall if GECOS or group fields are included in tcb, or if it i=
s only the password itself. &nbsp;If the other fields are included, this is a=
 much more important bug than otherwise.</div><div><br></div><div>Best,</div=
><div>-arw</div><div><div dir=3D"ltr"><div style=3D"direction: inherit;">--<=
/div><div style=3D"direction: inherit;">A. Wilcox (Sent from my iPhone)</div=
><div style=3D"direction: inherit;">Mac, iOS, Linux software engineer</div><=
div><br></div></div></div></body></html>=

--Apple-Mail-B67D787A-F57B-4B8F-9B74-96723FF07A9B--