{"id":4291,"date":"2022-12-20T17:48:53","date_gmt":"2022-12-20T20:48:53","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/tcb-man5\/"},"modified":"2022-12-20T17:48:53","modified_gmt":"2022-12-20T20:48:53","slug":"tcb-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/tcb-man5\/","title":{"rendered":"TCB (man5)"},"content":{"rendered":"

TCB<\/h1>\n

NAME<\/a>
PROBLEM<\/a>
SOLUTION<\/a>
ADVANTAGES<\/a>
DISADVANTAGES<\/a>
WORKAROUNDS FOR FILESYSTEMS LIMITS<\/a>
AUTHORS<\/a>
SEE ALSO<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

tcb<\/b> \u2212 alternative password shadowing scheme<\/p>\n

PROBLEM <\/a> <\/h2>\n

With the traditional password shadowing scheme, password hashes and password aging information of all users is stored in one file, \/etc\/shadow<\/i>. Therefore, if a process requires access to information on a single user, it is forced to possess privileges which are sufficient to access data on all users. This is a design flaw, which is most clearly visible in the case of passwd<\/b>(1) utility. Let\u2019s assume that unprivileged users are to be allowed to change their own passwords. Whatever permissions are assigned to \/etc\/shadow<\/i>, passwd<\/b>(1), invoked by unprivileged user U, must be able to modify the contents of this file. If malicious user U finds a way to control the passwd<\/b>(1) process (with the help of a buffer overflow or another bug in the passwd<\/b>(1) code, in the libraries it uses, or in the kernel), the user will be able to change passwords of all users and thus obtain full control over the system.<\/p>\n

SOLUTION <\/a> <\/h2>\n

The solution is straightforward \u2212 each user is assigned its own, separate shadow-style file. User U\u2019s shadow file is owned by U, so passwd<\/b>(1) invoked by U does not require superuser privileges.<\/p>\n

The directory where all users\u2019 shadow files reside is \/etc\/tcb<\/i>:<\/p>\n

drwx–x— 2 root shadow 1024 Jul 4 01:18 \/etc\/tcb<\/p>\n

For each user, there is a directory under \/etc\/tcb<\/i> with appropriate ownership and permissions:<\/p>\n

# ls -l \/etc\/tcb
total 2
drwx–s— 2 root auth 1024 Jul 4 01:18 root
drwx–s— 2 user auth 1024 Jul 4 01:18 user<\/p>\n

and so on. Each of the directories contains a shadow file for just the appropriate user:<\/p>\n

# ls -l \/etc\/tcb\/user
total 1
-rw-r—– 1 user auth 91 Jul 4 01:18 shadow<\/p>\n

The per-user directories are also used as scratch space for temporary and lock files which are needed during password change.<\/p>\n

ADVANTAGES <\/a> <\/h2>\n

This design has the following benefits:<\/p>\n\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

passwd<\/b>(1) needs to be SGID to group shadow only, not SUID to root. chage<\/b>(1) and \/usr\/libexec\/chkpwd\/tcb_chkpwd<\/i> are SGID to group shadow too, which with the tcb scheme means they only possess the privilege to access the user\u2019s own shadow file entry. A bug in one of these utilities may at most give a malicious user direct access to their own shadow file.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

If a process needs to possess read-only access to all shadow files, it is sufficient to assign it supplementary groups “shadow” and “auth”.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

3.<\/p>\n<\/td>\n

<\/td>\n\n

On systems supporting NSS, this scheme is completely transparent to applications which need read-only access to shadow file information. The libnss_tcb library implements getspnam<\/b>(3) and other related functions with their traditional semantics. Password changing is provided by pam_tcb<\/b>(8), a PAM module.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

See the tcb_convert<\/b>(8) manual page for instructions on how to enable the tcb scheme seamlessly.<\/p>\n

DISADVANTAGES <\/a> <\/h2>\n

Honestly, there are a few minor ones:<\/p>\n\n\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

It is impractical to lock all of the shadow database (see tcb_unconvert<\/b>(8)).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

Giving a process read-only access to all shadow files as described above has the side-effect of also giving it read-write access to the shadow entry of the (pseudo-)user it is running as.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

3.<\/p>\n<\/td>\n

<\/td>\n\n

It is impossible to give a process privileges sufficient for read-only access to a single shadow file only, without also having it actually run as the user.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

4.<\/p>\n<\/td>\n

<\/td>\n\n

The user management tools initially required heavy patching to support the tcb scheme.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

WORKAROUNDS FOR FILESYSTEMS LIMITS <\/a> <\/h2>\n

In case of ext2fs, the maximum number of hardlinks to a single file is limited to 32000. Therefore, with this filesystem, there can be at most 31998 directory entries in \/etc\/tcb<\/i> and, with the filesystem layout described above, at most 31998 users.<\/p>\n

The workaround: a tcb directory of user U can be located not only in \/etc\/tcb<\/i>, but also in \/etc\/tcb\/:some\/path<\/i>. In the latter case, there should be a symlink \/etc\/tcb\/U<\/i> -> \/etc\/tcb\/:some\/path\/U<\/i>.<\/p>\n

Starting with tcb 0.9.8, directories which match the shell pattern \/etc\/tcb\/:*<\/i> are not treated as per-user directories by tcb libraries. These directories are reserved to hold symlinked per-user directories, and for other purposes.<\/p>\n

By default, shadow suite utilities create directory entries directly in \/etc\/tcb<\/i>; if one expects more than 31998 users on the system, one can switch on the symlink creation anytime by editing login.defs<\/b>(5) config file.<\/p>\n

AUTHORS <\/a> <\/h2>\n

The tcb suite was implemented for Openwall GNU\/*\/Linux by Rafal Wojtczuk and Solar Designer . pam_tcb<\/b> is meant to be backwards-compatible with pam_unix<\/b>, therefore some design decisions are cloned from pam_unix<\/b>. Also certain less critical code fragments, as well as some of the code layout, are taken from the Linux-PAM implementation of pam_unix<\/b>. The names of contributors to pam_unix<\/b> can be found under orig_copyright\/ in source distribution of the tcb suite.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

login.defs<\/b>(5), pam_tcb<\/b>(8), tcb_convert<\/b>(8)<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

tcb \u2212 alternative password shadowing scheme <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1311],"class_list":["post-4291","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-tcb"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4291"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4291\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}