Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

fstab file security

we have run a few security scripts over a red hat linux server and one of the issues it has raised is the fact that passwords are available in plain text in an /etc/fstab file. By review of the permissions I can see all users on the server can read this file, so this is not good. I think the /etc/fstab file is being used as there is a link between this server and another for storing documents. I presume amending the ACL on the /etc/fstab file itself from the current presumably default ACL, is not a good idea as it could break things. So what other options are there to prevent users seeing this plain text password in the /etc/fstab file, or what are the best practices in such cases.
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arnold
arnold
Flag of United States of America image
as was pointed out by David, fstab is a file system mounting resource and is commonly has read permissions to allow all.
What passwords are included there?
to access SMB/CIFS shares?
using autofs /etc/autofs.conf /etc/auto.master..

Much depends on what you have and what the need is
Avatar of Pau Lo
Pau Lo

ASKER

Yes to access smb shares and the credentials are AD/domain account as the connection is to a windows file server.
Avatar of Scott Silva
Scott Silva
Flag of United States of America image
Most likely the original design of Unix, and therefore following with linux was not to connect to Windows machines since they didn't exist at the time of creation...
Adding access to later OS's is sometimes kluged into the distros, and no  one thought to change the system with fstab.

It might take some thorough testing to see if 600 access is going to work in all cases...
Avatar of arnold
arnold
Flag of United States of America image
It sounds as though the Linux box is not joined to the domain.
When it is, root on the Linux is mapped to administrator...
/etc/smb.conf
Avatar of noci
noci
/etc/fstab doesn't have an ACL, only onwer & access rights

644 (rw-r--r--) is default. If /etc/fstab contans passwords considder dropping  o-r
640 (rw-r-----).
Avatar of skullnobrains
skullnobrains
There is no reason why fstab would be world readable on a server. You can safely     chmod 600. you would probably break stuff such as user mounts of cdrom drives on a desktop.

As mentionned above, fstab does not typically contain sensitive data so there is little point in preventing it from being read

Beware that mtab and various files in the proc filesystem, and possibly setuid commands might contain the same data so you should probably not store passwords there