| 1 |
I'd like to add <http://code.google.com/p/hardened-shadow/> to the tree. |
| 2 |
It is an alternative implementation of shadow utilities (passwd, su, |
| 3 |
login, etc) based on ideas from Openwall's tcb. |
| 4 |
|
| 5 |
Earlier I tried upstreaming the Openwall's shadow patches, and you can |
| 6 |
see a log of those efforts at |
| 7 |
<http://comments.gmane.org/gmane.linux.debian.alioth.pkg-shadow/881> |
| 8 |
|
| 9 |
In the end shadow-4.1.5 has some experimental support for tcb, but |
| 10 |
|
| 11 |
1) It's incomplete (I didn't manage to upstream all Openwall's patches). |
| 12 |
2) It's ugly (even more "special cases" in the already #ifdef-heavy |
| 13 |
codebase). |
| 14 |
3) It requires sys-auth/tcb, which doesn't work with vanilla glibc (I'm |
| 15 |
maintaining tcb in Gentoo and have special patch for that, reviewed by |
| 16 |
upstream), and is broken with recent glibc |
| 17 |
(<https://bugs.gentoo.org/show_bug.cgi?id=371167>). |
| 18 |
|
| 19 |
And now we have <http://code.google.com/p/hardened-shadow/> which is a |
| 20 |
small alternative implementation, possibly going even further (the file |
| 21 |
system layout is a bit different than with tcb). |
| 22 |
|
| 23 |
I'd like to add virtual/shadow-0, with the following dependencies: |
| 24 |
|
| 25 |
DEPEND="" |
| 26 |
RDEPEND="|| ( >=sys-apps/shadow-4.1 sys-apps/hardened-shadow )" |
| 27 |
|
| 28 |
hardened-shadow package is not yet in the tree, I'm going to be its |
| 29 |
maintainer (base-system or anyone else is welcome to join), and the |
| 30 |
ebuild is going to be very simple. |
| 31 |
|
| 32 |
And then convert profiles to the new virtual (the relevant files; below |
| 33 |
are all occurrences of sys-apps/shadow): |
| 34 |
|
| 35 |
$ grep 'sys-apps/shadow' -r /usr/portage/profiles/ |
| 36 |
/usr/portage/profiles/ChangeLog-2011: Added sys-apps/shadow to |
| 37 |
packages.build as we need it on stage1. |
| 38 |
/usr/portage/profiles/prefix/packages:-*>=sys-apps/shadow-4.1 |
| 39 |
/usr/portage/profiles/prefix/package.provided:sys-apps/shadow-0 |
| 40 |
/usr/portage/profiles/base/packages:*>=sys-apps/shadow-4.1 |
| 41 |
/usr/portage/profiles/uclibc/packages.build:sys-apps/shadow |
| 42 |
/usr/portage/profiles/default/bsd/ChangeLog: Add -*>=sys-apps/shadow-4.1 |
| 43 |
/usr/portage/profiles/default/bsd/package.mask:sys-apps/shadow |
| 44 |
/usr/portage/profiles/default/bsd/packages:-*>=sys-apps/shadow-4.1 |
| 45 |
/usr/portage/profiles/default/linux/packages.build:sys-apps/shadow |
| 46 |
/usr/portage/profiles/use.local.desc:sys-apps/shadow:audit - Enable |
| 47 |
support for sys-process/audit |
| 48 |
/usr/portage/profiles/use.local.desc:sys-apps/shadow:tcb - Enable |
| 49 |
support for sys-auth/tcb |
| 50 |
|
| 51 |
And any reverse dependencies (after testing): |
| 52 |
|
| 53 |
<http://tinderbox.dev.gentoo.org/misc/dindex/sys-apps/shadow> |
| 54 |
|
| 55 |
What do you think? |
Archives