Home/ Questions/Q 6706461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T07:31:23+00:00

I was experimenting with Linux Capabilities, and I noticed that for the passwd program

  • 0

I was experimenting with Linux Capabilities, and I noticed that for the passwd program to work without being Set-UID root, it needs to have the CAP_CHOWN capability (in addition to some others). Logically, why would it need to have CAP_CHOWN at all?

Incidentally, passwd gives me a “token manipulation error” if I remove the capability.

Edit: I’m using Ubuntu 11.04 without SELinux. I’m trying to get passwd to work without being Set-UID root.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The cap_chown is not required for the passwd itself. It is only needed to change the /etc/shadow file associated with the userID.
    The /etc/shadow file is set so that it cannot be read by just anyone.

    /etc/shadow is only accessible to root. So when /etc/passwd finishes it’s authentication module and is ready to write a new (encoded) password, it will create a token. Which is accessed by the Linux-PAM service, which will chown it to root and write it into /etc/shadow.

    Edit:

    passwd uses the files /etc/.pwd.lock, /etc/shadow , /etc/nshadow.
    Since passwd reads and writes from /etc directory, w permissions are requried by it. Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and renames /etc/nshadow to /etc/shadow.

    open('/etc/nshadow',O_WRONLY|O_CREAT)=fd1
open('/etc/shadow', O_RDONLY)=fd2
fchown(fd1, uid=root, gid=shadow)
chmod /etc/shadow to : rw by owner and r by group
read(fd2)
write(fd1)
rename("/etc/nshadow", "/etc/shadow")

    Furthermore, I confirmed the existence of /etc/nshadow using this C program. FYI,

    #include<stdio.h>
#include<unistd.h>
int main()
{
while(1)
if (access("/etc/nshadow",F_OK)!=-1){
    printf("Exists\n");
    break;
    }
return 0;
}
    • 0