From dff81d5bde42c65fe0e87192c4d7aab033e0b72e Mon Sep 17 00:00:00 2001
From: millert <>
Date: Thu, 21 Nov 2002 21:25:19 +0000
Subject: [PATCH] Add a "shadow" group and make the shadow passwd db readable
 by that group.  This changes getpw* to always try the shadow db first and
 then fall back to the db w/o password hashes.  In the future,
 /usr/libexec/auth/login_passwd (and others) will be setgid shadow instead of
 setuid root.  OK deraadt@

If you track -current you should do the following:
 o add group shadow to /etc/group
 o chgrp shadow /etc/spwd.db
 o chmod 640 /etc/spwd.db
 o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.
---
 src/etc/group         | 1 +
 src/etc/mtree/special | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/etc/group b/src/etc/group
index 60c09cd0..f9bfb4d5 100644
--- a/src/etc/group
+++ b/src/etc/group
@@ -23,6 +23,7 @@ _fingerd:*:33:
 _sshagnt:*:34:
 _x11:*:35:
 utmp:*:45:
+shadow:*:65:
 crontab:*:66:
 www:*:67:
 network:*:69:
diff --git a/src/etc/mtree/special b/src/etc/mtree/special
index a0cb05b0..7a18e3f8 100644
--- a/src/etc/mtree/special
+++ b/src/etc/mtree/special
@@ -1,4 +1,4 @@
-#	$OpenBSD: special,v 1.47 2002/10/04 23:28:38 deraadt Exp $
+#	$OpenBSD: special,v 1.48 2002/11/21 21:25:19 millert Exp $
 #	$NetBSD: special,v 1.4 1996/05/08 21:30:18 pk Exp $
 #	@(#)special	8.2 (Berkeley) 1/23/94
 #
@@ -69,7 +69,7 @@ security	type=file mode=0644 uname=root gname=wheel
 shells		type=file mode=0644 uname=root gname=wheel
 skey		type=dir mode=01730 uname=root gname=auth optional
 ..	#skey
-spwd.db		type=file mode=0600 uname=root gname=wheel
+spwd.db		type=file mode=0640 uname=root gname=shadow
 ssh		type=dir mode=0755 uname=root gname=wheel optional
 ssh_config	type=file mode=0644 uname=root gname=wheel
 ssh_host_dsa_key	type=file mode=0600 uname=root gname=wheel optional