robert at linuxfromscratch.org
Sat May 19 04:54:47 PDT 2007
On Friday May 18 2007 11:13, Jan Dvořák wrote:
> Well, I always thought shadow is bloated, but rewriting the whole thing?
> If we stick to GNU/Linux and forget about everything else, just
> concentrate on what HLFS/BLFS needs... yes, sounds doable.
> And as I look on the installed executables of shadow; what are those
> like newgrp and others having letter 'g' in them for? I've never even
> heard of them being used...
gpasswd is "group password". Anything in shadow/src/ that starts with a 'g' is
a group utility.
Some of the utilities are silly, like 'pwck/grpck'. They're 24kb each, and
check if the /etc/shadow file is formated correctly. This could be moved to
libshadow so the checking is done whenever /etc/shadow is opened. It's
usefull as a separate program only if you build an /etc/passwd file by hand,
but if 'adduser' and 'passwd' can use a '--directory=' option then it's not
The 'newusers' program, 28kb, adds new users and groups from a list in a text
file. Passwords are cleartext. A shell script could do this, and with hashed
passwords. 'chpasswd' is almost the same.
'mkpasswd' functionality could be moved to 'passwd', with a --stdout
option. 'mkpasswd' creates random passwords... what is this good for??? I can
see uses for --stdout, for sending someone your hashed password. 'openssl
passwd' does the same thing btw.
'vipw' could refuse to use an editor not owned by root, like if root has
EDITOR=/home/user/bin/vim. Just an idea. 'vipw' does the same checks
as 'pwck', which is another reason the check routine should be in libshadow.
The 'groups' program does what 'id' already does.
'chage', 'chsh', 'chfn', and 'expiry', all do what 'usermod' does. They're
redundant. For compatibility these programs, and manual pages, could be
symlinked to 'usermod', to emulate those commands based on program-name (like
'groupadd' and 'groupdel' share duplicate code (grp_update). 'useradd'
and 'userdel' probably do too. These could be merged into a single program
1/3rd the size.
These changes, plus the removal of PAM and Selinux, would reduce the source
code by more than half. Making these utilities small isn't my goal, but the
way they are now is ridicules... half of the code is duplicate functions.
In bsd most of these programs share a pwdb library function (which includes
the file format checking routines) to make changes to the password/user/group
databases. NIS/YP could be handled in there too, instead of by each program.
It might be tricky to keep compatibility with other packages, like kerberos. I
haven't looked at how glibc/uclibc supports shadow-passwords. As far as I
know nothing outside of shadow-utils should link to libshadow... programs
like kerberos should get shadow-password support from libc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev