Provide a varlink service to access /etc/passwd and /etc/shadow so that no setuid and setgid binaries are necessary for this task.

There are two independent "problems" which can be solved with the same idea: all files in /usr should be owned by root:root and no setuid binary should be needed. The first one is a requirement of image based updates of /usr to avoid UID/GID drift, the second one is a security feature wished by systemd developers and security teams.

Currently most setuid binaries (or setgid binaries owned by group shadow) beside su and sudo only need this to read the shadow entry of the calling user. This task could be delegated to a systemd socket activated service which provides the user shadow entry for the calling user.

In this talk I will present the why, the current implementation and feedback from security teams.

Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/

about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/RUTE9Y/