Proposal: adopt shadow-utils-rs as a new uutils family member

[pierre-warnier]

Context

shadow-rs is a memory-safe Rust reimplementation of the 14 shadow-utils tools (passwd, useradd, userdel, usermod, groupadd, groupdel, groupmod, chage, chpasswd, chfn, chsh, newgrp, pwck, grpck). Built on uucore, MIT licensed, clean-room GPL development (no reference to shadow-maint/shadow source). Already aligned with uutils conventions (uumain/uu_app, UResult, multicall binary, workspace layout).

Repo: https://github.com/shadow-utils-rs/shadow-rs

(cc @sylvestredeb — suite à notre échange email du 3 avril)

Status

• 14 tools with GNU-compatible flags and exit codes
• PAM integration for authentication and password changes
• Atomic file writes with lock files and stale lock detection
• 587 tests (unit, property-based, integration), 6 fuzz targets
• Docker test matrix: Debian (glibc), Alpine (musl), Fedora (SELinux enforcing)
• unsafe_code = "deny" workspace-wide (only PAM/crypt FFI exempt)
• 894 KB stripped multicall binary

Open questions for maintainers

1. Repo location: transfer to a uutils/shadow repo, or keep it as affiliated shadow-utils-rs/shadow-rs?
2. newgrp overlap: does uutils/login already handle newgrp? If so we need to coordinate.
3. Crate naming: shadow-rs publishes uu_passwd, uu_useradd, etc. — any planned conflicts with uutils crates on crates.io?
4. CI template: should I migrate to the uutils GitHub Actions template?
5. File headers / authorship: any uutils conventions I should adopt beyond what's already in place?

Happy to do whatever integration work is needed.

[oech3]

Should we have SUID binary as multi-call binary?

[pierre-warnier]

@oech3 — valid concern, and you're right to flag it.

Current state: the default make install installs one multicall shadow-rs binary with symlinks for all 14 tools, then chmod 4755 on the passwd/chfn/chsh/newgrp symlinks (which follows through to the ELF). Net result: the binary is setuid root, so useradd, usermod, etc. also run with euid=0 when invoked. Each tool has an internal getuid() == 0 check for root-only operations, but that's defense-in-depth, not OS-level least privilege.

Alternative: each tool crate already has its own [[bin]] entry, so cargo build --bin passwd etc. produces standalone binaries. That would allow the traditional setuid layout: only passwd/chfn/chsh/newgrp are mode 4755, the other 10 are plain 0755 (or 0700 root-owned).

Trade-off:

• Multicall: smaller total install (~900 KB stripped for all 14), simpler packaging, but larger setuid attack surface
• Per-tool: ~14× the disk footprint, but OS-level least privilege matches GNU shadow-utils exactly

I'd be happy to switch the default install to per-tool binaries and keep multicall as an opt-in for container/embedded use cases where the trade-off makes sense. Does that match what uutils would want?

[oech3]

I guess we can force-build standalone binaries for SUID bins by default.

[pierre-warnier]

@oech3 agreed — I'll switch the default make install to build and install the 14 tools as standalone binaries, with chmod 4755 only on passwd/chfn/chsh/newgrp and 0755 on the rest. That matches GNU shadow-utils' layout exactly.

The multicall shadow-rs binary will stay buildable for container/embedded use cases where the size savings matter and the setuid footprint isn't a concern, but it won't be the default.

Will file as a tracked follow-up once the uutils adoption path is clearer.

[sylvestre]

sure, more than happy to move it under uutils/shadow
can you please initiate the transfer ?

[pierre-warnier]

Transfer initiated but GitHub requires repo-creation permission on the target org. Could you either invite me to uutils or pull the transfer from your side? Repo: shadow-utils-rs/shadow-rs → uutils/shadow.

[pierre-warnier]

@sylvestre gentle ping — could you invite pierre-warnier to the uutils org (or initiate the transfer from your side)? The repo is ready to move: we've merged 3 PRs since the proposal including a least-privilege setuid install layout and a /dev/full panic fix, both driven by @oech3's review feedback.

[sylvestre]

pardon, let's me do that

[sylvestre]

could you please add me to your repo ?

[pierre-warnier]

@sylvestre done — invitation sent with admin access. You should have a notification to accept at https://github.com/shadow-utils-rs/shadow-rs/invitations

[sylvestre]

done
i sent you an invite to own this repo in uutils too :)