[Python-Dev] PEP 594: Removing dead batteries from the standard library
Christian Heimes
christian at python.org
Mon May 20 19:32:06 EDT 2019
On 21/05/2019 01.06, Terry Reedy wrote:
> On 5/20/2019 6:06 PM, Christian Heimes wrote:
>
>>> Removing the crypt module would remove support for system-standard
>>> password files. I don't understand the rationale.
>>
>> Applications *must* not access system-standard password files directly. On any sanely and securely configured systems, application cannot even access system password files like /etc/shadow. Access restrictions and system security policies will prevent read access. Also applications cannot assume that users are present in any user file. They may come from LDAP, SSSD, ActiveDirectory, or other sources.
>>
>> The correct way to interact with system users is to use the proper APIs, that are NSS (name service switch) and PAM (pluggable authentication modules). NSS looks up and enumerate users and groups. PAM performs password validation and much, much, much more. The pwd and grp modules use the correct APIs to interact with NSS. If you need to check or change passwords, you must go through PAM.
>
> Add this to the PEP? It might suggest that crypt should go away sooner.
Yes, I'll do that. I'm currently collecting updates from feedback in PR https://github.com/python/peps/pull/1063
Christian
More information about the Python-Dev
mailing list