{"guid":"ee1273f1-cffb-5536-aebd-79574ad66f50","title":"Accessing shadow records via varlink","subtitle":null,"slug":"all-systems-go-2025-350-accessing-shadow-records-via-varlink","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/RUTE9Y/","description":"Provide a varlink service to access /etc/passwd and /etc/shadow so that no setuid and setgid binaries are necessary for this task.\n\nThere are two independent \"problems\" which can be solved with the same idea: all files in /usr should be owned by root:root and no setuid binary should be needed. The first one is a requirement of image based updates of /usr to avoid UID/GID drift, the second one is a security feature wished by systemd developers and security teams.\nCurrently most setuid binaries (or setgid binaries owned by group shadow) beside su and sudo only need this to read the shadow entry of the calling user. This task could be delegated to a systemd socket activated service which provides the user shadow entry for the calling user.\nIn this talk I will present the why, the current implementation and feedback from security teams.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Thorsten Kukuk"],"tags":["350","2025","asg2025","Galerie","asg2025-eng","asg2025","Day 1"],"view_count":74,"promoted":false,"date":"2025-09-30T12:25:00.000+02:00","release_date":"2025-09-30T00:00:00.000+02:00","updated_at":"2026-02-21T05:45:03.434+01:00","length":1572,"duration":1572,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/350-ee1273f1-cffb-5536-aebd-79574ad66f50.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-350-accessing-shadow-records-via-varlink","url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[],"recordings":[{"size":162,"length":1572,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-09-30T15:09:27.145+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/av1-hd/asg2025-350-eng-Accessing_shadow_records_via_varlink_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/91754","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":62,"length":1572,"mime_type":"video/webm","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-09-30T16:21:05.836+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-sd/asg2025-350-eng-Accessing_shadow_records_via_varlink_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/91776","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":198,"length":1572,"mime_type":"video/webm","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-09-30T16:21:01.279+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-hd/asg2025-350-eng-Accessing_shadow_records_via_varlink_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/91775","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":14,"length":1572,"mime_type":"audio/opus","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-09-30T15:03:17.524+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/opus/asg2025-350-eng-Accessing_shadow_records_via_varlink_opus.opus","url":"https://api.media.ccc.de/public/recordings/91750","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":60,"length":1572,"mime_type":"video/mp4","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-09-30T15:02:42.294+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-sd/asg2025-350-eng-Accessing_shadow_records_via_varlink_sd.mp4","url":"https://api.media.ccc.de/public/recordings/91748","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":23,"length":1572,"mime_type":"audio/mpeg","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-09-30T14:58:50.215+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/mp3/asg2025-350-eng-Accessing_shadow_records_via_varlink_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/91745","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":285,"length":1572,"mime_type":"video/mp4","language":"eng","filename":"asg2025-350-eng-Accessing_shadow_records_via_varlink_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-09-30T14:55:35.215+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-hd/asg2025-350-eng-Accessing_shadow_records_via_varlink_hd.mp4","url":"https://api.media.ccc.de/public/recordings/91735","event_url":"https://api.media.ccc.de/public/events/ee1273f1-cffb-5536-aebd-79574ad66f50","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"}]}