From owner-freebsd-hackers@FreeBSD.ORG  Sun Mar 20 20:04:00 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1784C16A4CE
	for <freebsd-hackers@freebsd.org>;
	Sun, 20 Mar 2005 20:04:00 +0000 (GMT)
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3924043D82
	for <freebsd-hackers@freebsd.org>;
	Sun, 20 Mar 2005 20:03:59 +0000 (GMT)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa89676@salmon>; 20 Mar 2005 20:03:58 +0000 (GMT)
Date: Sun, 20 Mar 2005 20:03:58 +0000
From: David Malone <dwmalone@maths.tcd.ie>
To: "H. S." <security@revolutionsp.com>
Message-ID: <20050320200358.GA59392@walton.maths.tcd.ie>
References: <49296.81.84.174.5.1111346817.squirrel@mail.revolutionsp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <49296.81.84.174.5.1111346817.squirrel@mail.revolutionsp.com>
User-Agent: Mutt/1.5.6i
Sender: dwmalone@maths.tcd.ie
cc: freebsd-hackers@freebsd.org
Subject: Re: passwd & permissions
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2005 20:04:00 -0000

On Sun, Mar 20, 2005 at 01:26:57PM -0600, H. S. wrote:
> I'm using FreeBSD on various servers for many time now, and there is
> something that always bothered me. It is related to /etc/passwd and
> /etc/pwd.db permissions.
> 
> I have custom (0640) permissions on these files. However, each time a user
> changes his/her password, the system will reset the password file
> permissions back to the original (rw r r).

I think these files would be rebuilt by the pwd_mkdb utility. You
should be able to change it to rebuild the files with different
permissions. See the PERM_INSECURE and PERM_SECURE constant pwd_mkdb.c.

(I'm not really sure about the wisdom of making passwd and pwd.db
have permissions 640, but I guess you know your system best.)

	David.