On 21/05/2019 01.06, Terry Reedy wrote: > On 5/20/2019 6:06 PM, Christian Heimes wrote: > >>> Removing the crypt module would remove support for system-standard >>> password files. I don't understand the rationale. >> >> Applications *must* not access system-standard password files directly. On >> any sanely and securely configured systems, application cannot even access >> system password files like /etc/shadow. Access restrictions and system >> security policies will prevent read access. Also applications cannot assume >> that users are present in any user file. They may come from LDAP, SSSD, >> ActiveDirectory, or other sources. >> >> The correct way to interact with system users is to use the proper APIs, >> that are NSS (name service switch) and PAM (pluggable authentication >> modules). NSS looks up and enumerate users and groups. PAM performs password >> validation and much, much, much more. The pwd and grp modules use the >> correct APIs to interact with NSS. If you need to check or change passwords, >> you must go through PAM. > > Add this to the PEP? It might suggest that crypt should go away sooner.
Yes, I'll do that. I'm currently collecting updates from feedback in PR https://github.com/python/peps/pull/1063 Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
