maddy

mirror of https://github.com/foxcpp/maddy.git synced 2025-04-06 06:27:38 +03:00

fox.cpp bf188e454f Move most code from the repo root into subdirectories The intention is to keep to repo root clean while the list of packages is slowly growing. Additionally, a bunch of small (~30 LoC) files in the repo root is merged into a single maddy.go file, for the same reason. Most of the internal code is moved into the internal/ directory. Go toolchain will make it impossible to import these packages from external applications. Some packages are renamed and moved into the pkg/ directory in the root. According to https://github.com/golang-standards/project-layout this is the de-facto standard to place "library code that's ok to use by external applications" in. To clearly define the purpose of top-level directories, README.md files are added to each.	2019-12-06 01:35:12 +03:00
..
main.go	Move most code from the repo root into subdirectories	2019-12-06 01:35:12 +03:00
README.md	cmd/maddy-shadow-helper: Fix README.md	2019-04-16 18:22:02 +00:00

Move most code from the repo root into subdirectories

The intention is to keep to repo root clean while the list of packages
is slowly growing.

Additionally, a bunch of small (~30 LoC) files in the repo root is
merged into a single maddy.go file, for the same reason.

Most of the internal code is moved into the internal/ directory. Go
toolchain will make it impossible to import these packages from external
applications.

Some packages are renamed and moved into the pkg/ directory in the root.
According to https://github.com/golang-standards/project-layout this is
the de-facto standard to place "library code that's ok to use by
external applications" in.

To clearly define the purpose of top-level directories, README.md files
are added to each.

2019-12-06 01:35:12 +03:00

main.go

Move most code from the repo root into subdirectories

2019-12-06 01:35:12 +03:00

README.md

cmd/maddy-shadow-helper: Fix README.md

2019-04-16 18:22:02 +00:00

README.md

maddy-shadow-helper

External helper binary for interaction with shadow passwords database. Unlike maddy-pam-helper it supports only local shadow database but it does not have any C dependencies.

Installation

maddy-shadow-helper is kinda dangerous binary and should not be allowed to be executed by everybody but maddy's user. At the same moment it needs to have access to read-protected files. For this reason installation should be done very carefully to make sure to not introduce any security "holes".

First method

chown maddy: /usr/bin/maddy-shadow-helper
chmod u+x,g-x,o-x /usr/bin/maddy-shadow-helper

Also maddy-shadow-helper needs access to /etc/shadow, one of the ways to provide it is to set file capability CAP_DAC_READ_SEARCH:

setcap cap_dac_read_search+ep /usr/bin/maddy-shadow-helper

Second method

Another, less restrictive is to make it setuid-root (assuming you have both maddy user and group):

chown root:maddy /usr/bin/maddy-shadow-helper
chmod u+xs,g+x,o-x /usr/bin/maddy-shadow-helper

Third method

The best way actually is to create shadow group and grant access to /etc/shadow to it and then make maddy-shadow-helper setgid-shadow:

groupadd shadow
chown :shadow /etc/shadow
chmod g+r /etc/shadow
chown maddy:shadow /usr/bin/maddy-shadow-helper
chmod u+x,g+xs /usr/bin/maddy-shadow-helper

Pick what works best for you.