OpenSSL libcrypto/libcrypt

Robert Connolly robert at
Sat May 19 04:54:47 PDT 2007

On Friday May 18 2007 11:13, Jan Dvořák wrote:
> Well, I always thought shadow is bloated, but rewriting the whole thing?
> If we stick to GNU/Linux and forget about everything else, just
> concentrate on what HLFS/BLFS needs... yes, sounds doable.
> And as I look on the installed executables of shadow; what are those
> like newgrp and others having letter 'g' in them for? I've never even
> heard of them being used...

gpasswd is "group password". Anything in shadow/src/ that starts with a 'g' is 
a group utility.

Some of the utilities are silly, like 'pwck/grpck'. They're 24kb each, and 
check if the /etc/shadow file is formated correctly. This could be moved to 
libshadow so the checking is done whenever /etc/shadow is opened. It's 
usefull as a separate program only if you build an /etc/passwd file by hand, 
but if 'adduser' and 'passwd' can use a '--directory=' option then it's not 

The 'newusers' program, 28kb, adds new users and groups from a list in a text 
file. Passwords are cleartext. A shell script could do this, and with hashed 
passwords. 'chpasswd' is almost the same.

'mkpasswd' functionality could be moved to 'passwd', with a --stdout 
option. 'mkpasswd' creates random passwords... what is this good for??? I can 
see uses for --stdout, for sending someone your hashed password. 'openssl 
passwd' does the same thing btw.

'vipw' could refuse to use an editor not owned by root, like if root has 
EDITOR=/home/user/bin/vim. Just an idea. 'vipw' does the same checks 
as 'pwck', which is another reason the check routine should be in libshadow.

The 'groups' program does what 'id' already does.

'chage', 'chsh', 'chfn', and 'expiry', all do what 'usermod' does. They're 
redundant. For compatibility these programs, and manual pages, could be 
symlinked to 'usermod', to emulate those commands based on program-name (like 
busybox does).

'groupadd' and 'groupdel' share duplicate code (grp_update). 'useradd' 
and 'userdel' probably do too. These could be merged into a single program 
1/3rd the size.

These changes, plus the removal of PAM and Selinux, would reduce the source 
code by more than half. Making these utilities small isn't my goal, but the 
way they are now is ridicules... half of the code is duplicate functions.

In bsd most of these programs share a pwdb library function (which includes 
the file format checking routines) to make changes to the password/user/group 
databases. NIS/YP could be handled in there too, instead of by each program.

It might be tricky to keep compatibility with other packages, like kerberos. I 
haven't looked at how glibc/uclibc supports shadow-passwords. As far as I 
know nothing outside of shadow-utils should link to libshadow... programs 
like kerberos should get shadow-password support from libc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list