You are not logged in.

#1 2019-11-25 19:03:15

r00t
Member
From: Canada
Registered: 2019-04-18
Posts: 45

passwd and shadow to non standard location

So i'll explain what i want to do here and maybe someone can point me or tell me if it's even possible.

So i have a system that i am building that i was talking about before, running volatile, using an overlay and write back to allow normal user to install files and save installs and there home/ to there usb drive.

as such i don't want the root account password to be stored on the system at all, i would like to make the root account only function if recovery mode is booted or if the admin usb stick is in.

now this is it's self i can mostly do already, it;s just the part about moving the root account...

is it possible to remove the root account, and have it look for the password for such an account on a non local drive [ usb stick ]? so if someone dose get the shadow file there is no root password information in it ?

hope i was being clear

thanks.


The distance between insanity, or genus is measured only by success .

Offline

#2 2019-11-25 20:38:10

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,553

Re: passwd and shadow to non standard location

The mechanism for redirecting databases lookups in passwd and shadow to arbitrary locations, even network locations, is called nsswitch. It has a man page nsswitch.conf, read it. It's a core aspect of glibc. The different lookup mechanisms available depend on the number of nss modules installed.

In order to implement a split passwd/shadow system, you'd need to specify another module that kind of acts like the files module (which will read shadow/passwd, see man page) but does look elsewhere.

For example, the passwd lookup on my system is configured such:

passwd: files mymachines systemd

meaning it'll first look in the passwd fi le, and if not found there, continue looking the mymachines module https://www.freedesktop.org/software/sy … hines.html and the systemd module https://www.freedesktop.org/software/sy … stemd.html. As you can read on that page,

nss-systemd is a plug-in module for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc), providing UNIX user and group name resolution for dynamic users and groups allocated through the DynamicUser= option in systemd unit files. See systemd.exec(5) for details on this option.

This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs 0 and 65534) remain resolvable at all times, even if they aren't listed in /etc/passwd or /etc/group, or if these files are missing.

There are numerous modules available supporting network-based lookup, for example ldap, or even proxy lookups to other applications like sssd, which in turn can even talk to ActiveDirectory servers to provide passwd/shadow entries.

This works reasonably well for regular users. I'm sure that for root, you could hit some corner cases.

Given that you have 'systemd' for passwd and shadow in your nsswitch to make use of the aforementioned functionality to prevent borking your system, you could start with locking root:

passwd -l root

and replace the password hash in shadow with '!'. A user can become root this way only using sudo and his own password.

and then, in the next step, delete root from passwd and shadow altogether. Reboot. If the system still works, you could continue thinking about how to load passwd/shadow from the location you want. Note that locking&removing the password works just as well as the systemd module will always ensure that 'a' root user exists.

The ultimate achievement would be then, in the end, to drop the 'systemd' nss module and still have a working system.


At the end of the river the sundown beams

Offline

#3 2019-11-26 21:11:15

r00t
Member
From: Canada
Registered: 2019-04-18
Posts: 45

Re: passwd and shadow to non standard location

Great this was very helpful Thank you. and actually more information than i was expecting to get on the matter smile


The distance between insanity, or genus is measured only by success .

Offline

Board footer

Powered by FluxBB