Files
Pierre Warnier 3e6dab9b18 docs: update all URLs from shadow-utils-rs to uutils org
Repo transferred to uutils/shadow-rs. Update all references:
- README.md: CI badge, license badge, clone URL
- Cargo.toml: repository, homepage
- CONTRIBUTING.md: clone URL
- SECURITY.md: advisory URL
- shadow-rs.spec: source URL
- CLAUDE.md: PR review API URLs, kanban board
2026-04-22 15:31:42 +02:00

59 lines
1.9 KiB
Markdown

# Security Policy
## Scope
shadow-rs reimplements setuid-root tools that write to `/etc/passwd`,
`/etc/shadow`, and `/etc/group`. Security vulnerabilities in this code can
lead to privilege escalation, account takeover, or system lockout.
We take security issues extremely seriously.
## Reporting a Vulnerability
**Do NOT open a public GitHub issue for security vulnerabilities.**
Instead, please report vulnerabilities via GitHub's private vulnerability
reporting feature:
1. Go to https://github.com/uutils/shadow-rs/security/advisories
2. Click "New draft security advisory"
3. Fill in the details
If private advisory reporting is unavailable, contact the maintainers
directly using a private channel (for example, the email address listed
in a maintainer's GitHub profile). Do not open a public GitHub issue for
security vulnerabilities.
## What to Include
- Description of the vulnerability
- Steps to reproduce
- Affected versions / commits
- Impact assessment (privilege escalation, data leak, DoS, etc.)
- Suggested fix (if you have one)
## Response Timeline
- **Acknowledgment**: within 48 hours
- **Initial assessment**: within 7 days
- **Fix and disclosure**: coordinated, typically within 30 days
## Supported Versions
Only the latest version on the `main` branch is supported during
pre-1.0 development.
## Security Design Principles
- **Memory safety**: Rust eliminates buffer overflows, use-after-free,
and uninitialized memory reads
- **Password zeroing**: sensitive data is zeroed in memory via the
`zeroize` crate before deallocation
- **Atomic file operations**: lock → write tmp → fsync → rename prevents
partial writes and corruption
- **Stale lock detection**: PID-based detection prevents permanent lockout
from crashed processes
- **PAM delegation**: password changes go through PAM — we do not implement
our own password hashing
- **No GPL code**: clean-room implementation prevents license contamination