Persistent FACL for /etc/shadow possible?
.
I'm trying to find a way to add a persistent FACL to /etc/shadow.
Unfortunately, when anyone uses the passwd command the file doesn't get updated - it gets _replaced_, gaining a new inode with new (default) permissions.
I tried creating /etc/stmp with the appropriate FACL, and it does get inherited when it is renamed to /etc/shadow (I've been digging through truss output from the passwd command), but since stmp also gets unlinked afterwards, this only works once (so after 2 password changes, the FACL is lost).
This gets around the need for a duplicate root account (or using root itself) - so this actually increases security over a proposed configuration.
Alternatively, is there another way (via RBAC maybe?) to allow a _single_ user to read the shadow file?
I'd rather not have to put a modified passwd command on the systems.
BTW: This has been tested in Solaris 9 & 10.
Thank you very much,
Kevin
