move passwords from /etc/passwd to /etc/shadow

[fischerling]

Move the passwords from the world-readable file /etc/passwd into the shadow file and provide new functions in libc to access the passwords when running as uid 0.

TODO: In order for this separation to be effective. We need a proper way to set realistic permissions in the rootfs

• Everything in / should be owned by uid=0
• Everything in /home/user should be owned by uid=1000

[fischerling]

In my fork of MentOS I have two separate non-root users alice and bob and I use a small shell script to set realistic permissions in the filesystem.
This is done by a cmake target mounting the root filesystem and running the script.

# MentOS is compatible with EXT2 filesystems. This targets set realistic
# permissions in the generated filesystem using the content of the `files` folder.
add_custom_target(filesystem_permissions
    COMMAND echo '============================================================================='
    COMMAND echo 'Fix root filesystem permissions...'
    COMMAND echo '============================================================================='
    COMMAND mkdir -p ${CMAKE_BINARY_DIR}/root
    COMMAND sudo fuse2fs ${CMAKE_BINARY_DIR}/rootfs.img ${CMAKE_BINARY_DIR}/root
    COMMAND sudo chown root:root -R ${CMAKE_BINARY_DIR}/root
    COMMAND sudo ${CMAKE_SOURCE_DIR}/scripts/fix_permissions.sh ${CMAKE_BINARY_DIR}/root
    COMMAND sudo umount ${CMAKE_BINARY_DIR}/root
    DEPENDS filesystem
)

#!/bin/sh

ROOT=$1

if [ -z "${ROOT}" ]
then
	echo "Usage: $0 <root>"
	exit 1
fi

# Set default permissions and file owner
chown root:root -R "${ROOT}"
sudo chmod -R u=rwX,go=rX -R "${ROOT}"

# Set security related permissions
sudo chmod 644 "${ROOT}"/etc/passwd
sudo chmod og-rwx "${ROOT}"/etc/shadow

# Set user permissions
sudo chown 1000:1000 -R "${ROOT}"/home/alice
sudo chown 1001:1001 -R "${ROOT}"/home/bob
sudo chmod -R u=rwX,go= -R "${ROOT}"/home/*

The problem with this approach is that it requires root permissions to mount the rootfs to modify its content.

Maybe we can come up with a better solution.
Something like using install(1) to copy all files into the build dir using the correct permissions.

[Galfurian]

I tried as much as possible to avoid using sudo throughout the project. This way it is possible for a student to run the code even on a University-owned computer, where they do not have admin rights.

I was thinking about a mid-way solution: distinguish between passwd and shadow, but store an encrypted password in shadow but without setting the typical linux rights on shadow. In a personal branch, I integrated a basic Data Encryption Standard (DES) algorithm in MentOS, and planned to encrypt the passwords in shadow at least.

What do you think?

I can think about how to properly set root and permissions in the future.