Files
shadow/docs/OPENBSD-REFERENCE.md
Pierre Warnier 0a33f2186d review: address 5 Copilot review comments
- Fix function name: sanitize_env() → sanitized_env() / harden_process()
- Fix SIGINT handler: was removed, not implemented
- Fix user enumeration: early permission check, not constant-time PAM
- Fix Rust module paths: shadow-core → shadow_core (crate vs module)
2026-04-03 15:27:58 +02:00

1.9 KiB

OpenBSD Security Reference for shadow-rs

Detailed analysis of OpenBSD's passwd implementation (ISC license). Source: cvsweb.openbsd.org/src/usr.bin/passwd/ and src/lib/libutil/passwd.c.

Findings — What OpenBSD Does That We Should

Already Implemented

# Pattern Status
Signal blocking during file writes #38 — SignalBlocker RAII
Privilege drop during PAM conversation #39 — PrivDrop RAII
Environment sanitization #40 — sanitized_env() / harden_process()
Landlock filesystem restriction #41 — apply_landlock() in passwd
Absolute paths for subprocesses #20 — /usr/sbin/nscd
Password zeroing #7 — zeroize crate
Secure temp file permissions #19 — 0o600 from creation
TOCTOU-resistant locking #18 — lock-via-hard-link
Core dump suppression #43 — suppress_core_dumps() in hardening.rs
Resource limit hardening #44 — raise_file_size_limit() in hardening.rs
Zero-length output guard #45 — in atomic_write
setuid(0) consolidation #47 — before file operations in passwd
User enumeration prevention #49 — early permission check in passwd
Password input interrupt handling #48 — custom SIGINT handler removed; signal blocking covers critical sections
Umask reset #51 — UmaskGuard RAII in lock/tmp creation

Not Yet Implemented

MEDIUM: Seccomp-BPF

Restrict syscalls to only what passwd needs after initialization. Complex but effective — sudo-rs uses this approach.

File References