Usr/bin/passwd and the CAP_CHOWN capability?

The cap_chown is not required for the passwd itself. It is only needed to change the /etc/shadow file associated with the userID The /etc/shadow file is set so that it cannot be read by just anyone etc/shadow is only accessible to root. So when /etc/passwd finishes it's authentication module and is ready to write a new (encoded) password, it will create a token.

Which is accessed by the Linux-PAM service, which will chown it to root and write it into /etc/shadow Edit: passwd uses the files /etc/.pwd. Lock, /etc/shadow , /etc/nshadow. Since passwd reads and writes from /etc directory, w permissions are requried by it.

Note that, /etc/shadow is never written by passwd. Passwd actually writes to /etc/nshadow and renames /etc/nshadow to /etc/shadow open('/etc/nshadow',O_WRONLY|O_CREAT)=fd1 open('/etc/shadow', O_RDONLY)=fd2 fchown(fd1, uid=root, gid=shadow) chmod /etc/shadow to : rw by owner and r by group read(fd2) write(fd1) rename("/etc/nshadow", "/etc/shadow") Furthermore, I confirmed the existence of etc/nshadow using this C program. FYI include #include int main() { while(1) if (access("/etc/nshadow",F_OK)!

=-1){ printf("Exists\n"); break; } return 0; }.

The cap_chown is not required for the passwd itself. It is only needed to change the /etc/shadow file associated with the userID. The /etc/shadow file is set so that it cannot be read by just anyone.

/etc/shadow is only accessible to root. So when /etc/passwd finishes it's authentication module and is ready to write a new (encoded) password, it will create a token. Which is accessed by the Linux-PAM service, which will chown it to root and write it into /etc/shadow.

Edit: passwd uses the files /etc/.pwd. Lock, /etc/shadow , /etc/nshadow. Since passwd reads and writes from /etc directory, w permissions are requried by it.

Note that, /etc/shadow is never written by passwd. Passwd actually writes to /etc/nshadow and renames /etc/nshadow to /etc/shadow. Open('/etc/nshadow',O_WRONLY|O_CREAT)=fd1 open('/etc/shadow', O_RDONLY)=fd2 fchown(fd1, uid=root, gid=shadow) chmod /etc/shadow to : rw by owner and r by group read(fd2) write(fd1) rename("/etc/nshadow", "/etc/shadow") Furthermore, I confirmed the existence of /etc/nshadow using this C program.

FYI, #include #include int main() { while(1) if (access("/etc/nshadow",F_OK)! =-1){ printf("Exists\n"); break; } return 0; }.

I don't understand what you've written after /etc/shadow is only accessible to root – Apoorva Iyer Oct 21 at 16:40.

Setuid is all that originally was needed. The additions of SELinux (Security Enhanced) requires the program context to be correct as well as file permission checks. If the system's SE feature is disabled, passwd will work fine without any CAP_.... Somewhere I read that SE can be disabled by writing a "1" to /selinux/disable.

Presumably writing "0" reenables it. See NSA's description or Fedora's.

I'm using Ubuntu 11.04. It doesn't have SELinux. Also, the objective here being that I wan't to remove the setuid bit and just have capabilities applied to passwd.(Reducing the over-privileged-binary problem) – Apoorva Iyer Oct 21 at 12:45.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.