new shadow passwd functions
Long, long ago, password hashes were kept in the /etc/passwd file. This is obviously bad because it allows users to pry into other users’ hashes, attempting to crack them. The solution was to move the real hashes to another file, called master.passwd on OpenBSD. BSD systems also turn the text passwd files into a database file so that calling getpwnam is fast even with thousands of users on a 10MHz vax.
On some systems, e.g. Linux, there are two sets of functions. Normal functions like getpwnam that open the regular passwd files, and shadow functions like getspnam that open the files with password hashes. The problem is that struct passwd and struct spwd are not the same, making it difficult to write code that can work with both variants. Everything must be written twice, even though the code will be identical except for a few characters difference.
On BSD systems, the shadowed password files were integrated into the regular functions. Calling getpwnam will first attempt to open spwd.db and if that fails, will open the world readable pwd.db file without passwords. The same set of functions can be used for authentication programs like login and for user utilities like ls.
The downside to this second approach is that user utilities run as root still open the shadow files. If one were to discover an infoleak in ls that dumped memory contents, and tricked root into running it, and then tricked root into showing the output, that may result in a leak of the password hashes. Unlikely, but ungood.
New in OpenBSD 5.9 were a set of shadow functions such as getpwnam_shadow. These are documented to open the shadow password database, although the existing functions still worked. Starting with 6.0, the default functions no longer attempt to open the shadow database. Code which wishes to check passwords needs to use the shadow flavor of functions. However, the changes are very minimal, only requiring a change to the name of a single function call.
Tagged: openbsd