I was experimenting with Linux Capabilities, and I noticed that for the passwd
program to work without being Set-UID root, it needs to have the CAP_CHOWN capability (in addition to some others). Logically, why would it need to have CAP_CHOWN at all?
Incidentally, passwd gives me a "token manipulation error" if I remove the capability.
Edit: I'm using Ubuntu 11.04 without SELinux. I'm trying to get passwd
to work without being Set-UID root.
The
cap_chown
is not required for thepasswd
itself. It is only needed to change the /etc/shadow file associated with theuserID
. The /etc/shadow file is set so that it cannot be read by just anyone./etc/shadow is only accessible to root. So when /etc/passwd finishes it's authentication module and is ready to write a new (encoded) password, it will create a token. Which is accessed by the Linux-PAM service, which will chown it to root and write it into /etc/shadow.
Edit:
passwd uses the files /etc/.pwd.lock, /etc/shadow , /etc/nshadow. Since passwd reads and writes from /etc directory, w permissions are requried by it. Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and renames /etc/nshadow to /etc/shadow.
Furthermore, I confirmed the existence of
/etc/nshadow
using this C program. FYI,