Merge pull request #162 from artem-sidorenko/debian-shadow

Proper permissions for shadow on debian family

recipes/minimize_access.rb

@@ -28,11 +28,17 @@
   end
 end
 
-# shadow must only be accessible to user root
+# limit access to shadow. On debian family group shadow should be able to read it
+# (otherwise screensavers might break etc)
 file '/etc/shadow' do
   owner 'root'
-  group 'root'
-  mode '0600'
+  if node['platform_family'] == 'debian'
+    group 'shadow'
+    mode '0640'
+  else
+    group 'root'
+    mode '0600'
+  end
 end
 
 # su must only be accessible to user and group root

spec/recipes/minimize_access_spec.rb

@@ -82,8 +82,8 @@
   it 'creates /etc/shadow' do
     is_expected.to create_file('/etc/shadow').with(
       user: 'root',
-      group: 'root',
-      mode: '0600'
+      group: 'shadow',
+      mode: '0640'
     )
   end