2026-03-23 14:11:19 +01:00
|
|
|
# Security Policy
|
|
|
|
|
|
|
|
|
|
## Scope
|
|
|
|
|
|
|
|
|
|
shadow-rs reimplements setuid-root tools that write to `/etc/passwd`,
|
|
|
|
|
`/etc/shadow`, and `/etc/group`. Security vulnerabilities in this code can
|
|
|
|
|
lead to privilege escalation, account takeover, or system lockout.
|
|
|
|
|
|
|
|
|
|
We take security issues extremely seriously.
|
|
|
|
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
|
|
|
|
**Do NOT open a public GitHub issue for security vulnerabilities.**
|
|
|
|
|
|
|
|
|
|
Instead, please report vulnerabilities via GitHub's private vulnerability
|
|
|
|
|
reporting feature:
|
|
|
|
|
|
2026-04-22 15:31:42 +02:00
|
|
|
1. Go to https://github.com/uutils/shadow-rs/security/advisories
|
2026-03-23 14:11:19 +01:00
|
|
|
2. Click "New draft security advisory"
|
|
|
|
|
3. Fill in the details
|
|
|
|
|
|
2026-03-23 14:36:22 +01:00
|
|
|
If private advisory reporting is unavailable, contact the maintainers
|
|
|
|
|
directly using a private channel (for example, the email address listed
|
|
|
|
|
in a maintainer's GitHub profile). Do not open a public GitHub issue for
|
|
|
|
|
security vulnerabilities.
|
2026-03-23 14:11:19 +01:00
|
|
|
|
|
|
|
|
## What to Include
|
|
|
|
|
|
|
|
|
|
- Description of the vulnerability
|
|
|
|
|
- Steps to reproduce
|
|
|
|
|
- Affected versions / commits
|
|
|
|
|
- Impact assessment (privilege escalation, data leak, DoS, etc.)
|
|
|
|
|
- Suggested fix (if you have one)
|
|
|
|
|
|
|
|
|
|
## Response Timeline
|
|
|
|
|
|
|
|
|
|
- **Acknowledgment**: within 48 hours
|
|
|
|
|
- **Initial assessment**: within 7 days
|
|
|
|
|
- **Fix and disclosure**: coordinated, typically within 30 days
|
|
|
|
|
|
|
|
|
|
## Supported Versions
|
|
|
|
|
|
|
|
|
|
Only the latest version on the `main` branch is supported during
|
|
|
|
|
pre-1.0 development.
|
|
|
|
|
|
|
|
|
|
## Security Design Principles
|
|
|
|
|
|
|
|
|
|
- **Memory safety**: Rust eliminates buffer overflows, use-after-free,
|
|
|
|
|
and uninitialized memory reads
|
|
|
|
|
- **Password zeroing**: sensitive data is zeroed in memory via the
|
|
|
|
|
`zeroize` crate before deallocation
|
|
|
|
|
- **Atomic file operations**: lock → write tmp → fsync → rename prevents
|
|
|
|
|
partial writes and corruption
|
|
|
|
|
- **Stale lock detection**: PID-based detection prevents permanent lockout
|
|
|
|
|
from crashed processes
|
|
|
|
|
- **PAM delegation**: password changes go through PAM — we do not implement
|
|
|
|
|
our own password hashing
|
|
|
|
|
- **No GPL code**: clean-room implementation prevents license contamination
|