mirror of
https://github.com/uutils/shadow.git
synced 2026-06-10 16:14:57 -07:00
3e6dab9b18
Repo transferred to uutils/shadow-rs. Update all references: - README.md: CI badge, license badge, clone URL - Cargo.toml: repository, homepage - CONTRIBUTING.md: clone URL - SECURITY.md: advisory URL - shadow-rs.spec: source URL - CLAUDE.md: PR review API URLs, kanban board
59 lines
1.9 KiB
Markdown
59 lines
1.9 KiB
Markdown
# Security Policy
|
|
|
|
## Scope
|
|
|
|
shadow-rs reimplements setuid-root tools that write to `/etc/passwd`,
|
|
`/etc/shadow`, and `/etc/group`. Security vulnerabilities in this code can
|
|
lead to privilege escalation, account takeover, or system lockout.
|
|
|
|
We take security issues extremely seriously.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do NOT open a public GitHub issue for security vulnerabilities.**
|
|
|
|
Instead, please report vulnerabilities via GitHub's private vulnerability
|
|
reporting feature:
|
|
|
|
1. Go to https://github.com/uutils/shadow-rs/security/advisories
|
|
2. Click "New draft security advisory"
|
|
3. Fill in the details
|
|
|
|
If private advisory reporting is unavailable, contact the maintainers
|
|
directly using a private channel (for example, the email address listed
|
|
in a maintainer's GitHub profile). Do not open a public GitHub issue for
|
|
security vulnerabilities.
|
|
|
|
## What to Include
|
|
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Affected versions / commits
|
|
- Impact assessment (privilege escalation, data leak, DoS, etc.)
|
|
- Suggested fix (if you have one)
|
|
|
|
## Response Timeline
|
|
|
|
- **Acknowledgment**: within 48 hours
|
|
- **Initial assessment**: within 7 days
|
|
- **Fix and disclosure**: coordinated, typically within 30 days
|
|
|
|
## Supported Versions
|
|
|
|
Only the latest version on the `main` branch is supported during
|
|
pre-1.0 development.
|
|
|
|
## Security Design Principles
|
|
|
|
- **Memory safety**: Rust eliminates buffer overflows, use-after-free,
|
|
and uninitialized memory reads
|
|
- **Password zeroing**: sensitive data is zeroed in memory via the
|
|
`zeroize` crate before deallocation
|
|
- **Atomic file operations**: lock → write tmp → fsync → rename prevents
|
|
partial writes and corruption
|
|
- **Stale lock detection**: PID-based detection prevents permanent lockout
|
|
from crashed processes
|
|
- **PAM delegation**: password changes go through PAM — we do not implement
|
|
our own password hashing
|
|
- **No GPL code**: clean-room implementation prevents license contamination
|