On 5/20/2019 6:06 PM, Christian Heimes wrote:
Removing the crypt module would remove support for system-standard
password files. I don't understand the rationale.
Applications *must* not access system-standard password files directly. On any
sanely and securely configured systems, application cannot even access system
password files like /etc/shadow. Access restrictions and system security
policies will prevent read access. Also applications cannot assume that users
are present in any user file. They may come from LDAP, SSSD, ActiveDirectory,
or other sources.
The correct way to interact with system users is to use the proper APIs, that
are NSS (name service switch) and PAM (pluggable authentication modules). NSS
looks up and enumerate users and groups. PAM performs password validation and
much, much, much more. The pwd and grp modules use the correct APIs to interact
with NSS. If you need to check or change passwords, you must go through PAM.
Add this to the PEP? It might suggest that crypt should go away sooner.
--
Terry Jan Reedy
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
