Pau Lo
asked on
shadow and passwd permissions
Can you assist with interpreting the output of getafcl for /etc/passwd and /etc/shadow files on a live server. The output shows as below:
# file: etc/shadow
# owner: root
# group: root
user::---
group::---
other::---
/etc/passwd permissions
# file: etc/passwd
# owner: root
# group: root
user::rw-
group::r--
other::r--
fromwhat I understand security best practice suggests /etc/shadow should only be readable by root (as it contains security sensitive info), and /etc/passwd should only be writable by root as you can upgrade permissions to root if you can edit the file. However, the permissions on /etc/passwd indicate 'user' has rw which indicates read & write permissions. Is this a security flaw or is this the default setting? What does 'user' actually represent, and is it all users on the server, if so this seems like a problem from the offset.
# file: etc/shadow
# owner: root
# group: root
user::---
group::---
other::---
/etc/passwd permissions
# file: etc/passwd
# owner: root
# group: root
user::rw-
group::r--
other::r--
fromwhat I understand security best practice suggests /etc/shadow should only be readable by root (as it contains security sensitive info), and /etc/passwd should only be writable by root as you can upgrade permissions to root if you can edit the file. However, the permissions on /etc/passwd indicate 'user' has rw which indicates read & write permissions. Is this a security flaw or is this the default setting? What does 'user' actually represent, and is it all users on the server, if so this seems like a problem from the offset.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
/etc/shadow looks just fine to me:
getfacl: Removing leading '/' from absolute path names
# file: etc/shadow
# owner: root
# group: root
user::---
group::---
other::---
getfacl: Removing leading '/' from absolute path names
# file: etc/shadow
# owner: root
# group: root
user::---
group::---
other::---
AFAICT shadow file should be:
getfacl: Removing leading '/' from absolute path names
# file: etc/shadow
# owner: root
# group: root
user::rw-
group::r--
other::---
(meaning file is owned by user: root, group root, owner may Read/Write and group may read, and no access for others).
This is exactly what your data shows.
/etc/shadow - root is sole owner, no other groups/users can even see this file.
/etc/passwd - root is owner, other groups/users may read this file, which is required for system to function.
You said, "/etc/passwd indicate 'user' has rw which indicates read & write permissions".
This is correct.
1) File is owned by root.
2) Owner root can read/write file.
If you get confused, just attempt to write /etc/passwd with a non-root user + you'll find you can't.
I think you may be confusing user + other users.
Note: /etc/shadow does look odd to me, as if you've modified permissions, likely with chmod. Your current /etc/shadow will likely cause subtle problems, especially during software package updates which require /etc/shadow group read access. Correct settings are likely...
Open in new window