If you update/reinstall the baselayout-package (at least version 2.0.1) it changes rights on /etc/shadow to 600. But it can be useful to allow non-root programs to read on /etc/shadow (group set to shadow, rights set to 640), for example mod_auth_pam for apache2. At the moment, upgrading baselayout will cause mod_auth_pam to stop working. Reproducible: Always Steps to Reproduce: 1. Set rights to 640: chmod 640 /etc/shadow 2. Update/Reinstall baselayout-2.0.1 3. Look at rights of /etc/shadow: ls -lh /etc/shadow Actual Results: The baselayout package changes fs rights without request. Expected Results: The baselayout package shoudn't change rights without requesting and should give a warning that 640 on /etc/shadow _can_ be a security issue.
Removing the privileges was done as part of bug 260993. It only mentioned removing world readable permissions. Bug 28114 talks a little about mod_auth_pam, it seems it needs to read shadow directly rather than using PAM to validate passwords... I'll pass this to the baselayout guys for a judgement call, but if it helps [1] recommends using mod_authnz_external [2] for authenticating against shadow passwords. Mod_authnz_external's in the tree for apache-2 at least... [1] http://pam.sourceforge.net/mod_auth_pam/ [2] http://code.google.com/p/mod-auth-external/
http://sources.gentoo.org/sys-apps/baselayout/baselayout-2.0.1.ebuild?r1=1.1&r2=1.2