Add a "shadow" group and make the shadow passwd db readable by that

group.  This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes.  In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root.  OK deraadt@

If you track -current you should do the following:
 o add group shadow to /etc/group
 o chgrp shadow /etc/spwd.db
 o chmod 640 /etc/spwd.db
 o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

5 files changed, 29 insertions, 14 deletions

diff --git a/etc/group b/etc/group
index 60c09cd0a18..f9bfb4d5ee8 100644
--- a/etc/group
+++ b/etc/group
@@ -23,6 +23,7 @@ _fingerd:*:33:
 _sshagnt:*:34:
 _x11:*:35:
 utmp:*:45:
+shadow:*:65:
 crontab:*:66:
 www:*:67:
 network:*:69:
diff --git a/etc/mtree/special b/etc/mtree/special
index a0cb05b0b13..7a18e3f8064 100644
--- a/etc/mtree/special
+++ b/etc/mtree/special
@@ -1,4 +1,4 @@
-#	$OpenBSD: special,v 1.47 2002/10/04 23:28:38 deraadt Exp $
+#	$OpenBSD: special,v 1.48 2002/11/21 21:25:19 millert Exp $
 #	$NetBSD: special,v 1.4 1996/05/08 21:30:18 pk Exp $
 #	@(#)special	8.2 (Berkeley) 1/23/94
 #
@@ -69,7 +69,7 @@ security	type=file mode=0644 uname=root gname=wheel
 shells		type=file mode=0644 uname=root gname=wheel
 skey		type=dir mode=01730 uname=root gname=auth optional
 ..	#skey
-spwd.db		type=file mode=0600 uname=root gname=wheel
+spwd.db		type=file mode=0640 uname=root gname=shadow
 ssh		type=dir mode=0755 uname=root gname=wheel optional
 ssh_config	type=file mode=0644 uname=root gname=wheel
 ssh_host_dsa_key	type=file mode=0600 uname=root gname=wheel optional
diff --git a/lib/libc/gen/getpwent.3 b/lib/libc/gen/getpwent.3
index 083fc2597ea..438e4f338ca 100644
--- a/lib/libc/gen/getpwent.3
+++ b/lib/libc/gen/getpwent.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: getpwent.3,v 1.15 2000/12/24 00:30:49 aaron Exp $
+.\"	$OpenBSD: getpwent.3,v 1.16 2002/11/21 21:25:19 millert Exp $
 .\"
 .\" Copyright (c) 1988, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -122,9 +122,10 @@ These routines have been written to
 .Dq shadow
 the password file, e.g.,
 allow only certain programs to have access to the encrypted password.
-If the process which calls them has an effective UID of 0, the encrypted
-password will be returned, otherwise, the password field of the returned
-structure will point to the string
+If the process which calls them has an effective UID of 0 or has the
+.Dq shadow
+group in its group vector, the encrypted password will be returned, otherwise,
+the password field of the returned structure will point to the string
 .Ql * .
 .Sh RETURN VALUES
 The functions
diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index 77c689fa8f5..39c3685e438 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -33,7 +33,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: getpwent.c,v 1.27 2002/07/06 03:10:23 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: getpwent.c,v 1.28 2002/11/21 21:25:19 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -965,18 +965,16 @@ static int
 __initdb()
 {
 	static int warned;
-	char *p;
 
 #ifdef YP
 	__ypmode = YPMODE_NONE;
 	__getpwent_has_yppw = -1;
 #endif
-	p = (geteuid()) ? _PATH_MP_DB : _PATH_SMP_DB;
-	_pw_db = dbopen(p, O_RDONLY, 0, DB_HASH, NULL);
-	if (_pw_db)
+	if ((_pw_db = dbopen(_PATH_SMP_DB, O_RDONLY, 0, DB_HASH, NULL)) ||
+	    (_pw_db = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL)))
 		return (1);
 	if (!warned)
-		syslog(LOG_ERR, "%s: %m", p);
+		syslog(LOG_ERR, "%s: %m", _PATH_MP_DB);
 	warned = 1;
 	return (0);
 }
diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c
index 6148b4441b1..728ad2505ec 100644
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.c
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pwd_mkdb.c,v 1.30 2002/06/02 06:42:29 deraadt Exp $	*/
+/*	$OpenBSD: pwd_mkdb.c,v 1.31 2002/11/21 21:25:19 millert Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993, 1994
@@ -45,7 +45,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "from: @(#)pwd_mkdb.c	8.5 (Berkeley) 4/20/94";
 #else
-static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.30 2002/06/02 06:42:29 deraadt Exp $";
+static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.31 2002/11/21 21:25:19 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -56,6 +56,7 @@ static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.30 2002/06/02 06:42:29 deraadt Ex
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <limits.h>
 #include <pwd.h>
 #include <signal.h>
@@ -74,6 +75,8 @@ static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.30 2002/06/02 06:42:29 deraadt Ex
 #define FILE_INSECURE	0x02
 #define FILE_ORIG	0x04
 
+#define	SHADOW_GROUP	"shadow"
+
 HASHINFO openinfo = {
 	4096,		/* bsize */
 	32,		/* ffactor */
@@ -108,8 +111,10 @@ main(argc, argv)
 	FILE *fp, *oldfp = NULL;
 	struct stat st;
 	struct passwd pwd;
+	struct group *grp;
 	sigset_t set;
 	uid_t olduid;
+	gid_t shadow;
 	int ch, tfd, makeold, secureonly, flags, checkonly;
 	char *username, buf[MAX(MAXPATHLEN, LINE_MAX * 2)];
 
@@ -146,6 +151,11 @@ main(argc, argv)
 	if (argc != 1 || (makeold && secureonly) ||
 	    (username && (*username == '+' || *username == '-')))
 		usage();
+	
+	if ((grp = getgrnam(SHADOW_GROUP)) == NULL)
+		errx(1, "cannot find `%s' in the group database, aborting",
+		    SHADOW_GROUP);
+	shadow = grp->gr_gid;
 
 	/*
 	 * This could be changed to allow the user to interrupt.
@@ -223,6 +233,11 @@ main(argc, argv)
 	}
 	if (!edp)
 		error(buf);
+	if (fchown(edp->fd(edp), (uid_t)-1, shadow) != 0)
+		warn("%s: unable to set group to %s", _PATH_SMP_DB,
+		    SHADOW_GROUP);
+	else if (fchmod(edp->fd(edp), PERM_SECURE|S_IRGRP) != 0)
+		warn("%s: unable to make group readable", _PATH_SMP_DB);
 	clean |= FILE_SECURE;
 
 	/* Open the temporary insecure password database. */