Pau Lo
asked on
fstab file security
we have run a few security scripts over a red hat linux server and one of the issues it has raised is the fact that passwords are available in plain text in an /etc/fstab file. By review of the permissions I can see all users on the server can read this file, so this is not good. I think the /etc/fstab file is being used as there is a link between this server and another for storing documents. I presume amending the ACL on the /etc/fstab file itself from the current presumably default ACL, is not a good idea as it could break things. So what other options are there to prevent users seeing this plain text password in the /etc/fstab file, or what are the best practices in such cases.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes to access smb shares and the credentials are AD/domain account as the connection is to a windows file server.
Most likely the original design of Unix, and therefore following with linux was not to connect to Windows machines since they didn't exist at the time of creation...
Adding access to later OS's is sometimes kluged into the distros, and no one thought to change the system with fstab.
It might take some thorough testing to see if 600 access is going to work in all cases...
Adding access to later OS's is sometimes kluged into the distros, and no one thought to change the system with fstab.
It might take some thorough testing to see if 600 access is going to work in all cases...
It sounds as though the Linux box is not joined to the domain.
When it is, root on the Linux is mapped to administrator...
/etc/smb.conf
When it is, root on the Linux is mapped to administrator...
/etc/smb.conf
/etc/fstab doesn't have an ACL, only onwer & access rights
644 (rw-r--r--) is default. If /etc/fstab contans passwords considder dropping o-r
640 (rw-r-----).
644 (rw-r--r--) is default. If /etc/fstab contans passwords considder dropping o-r
640 (rw-r-----).
There is no reason why fstab would be world readable on a server. You can safely chmod 600. you would probably break stuff such as user mounts of cdrom drives on a desktop.
As mentionned above, fstab does not typically contain sensitive data so there is little point in preventing it from being read
Beware that mtab and various files in the proc filesystem, and possibly setuid commands might contain the same data so you should probably not store passwords there
As mentionned above, fstab does not typically contain sensitive data so there is little point in preventing it from being read
Beware that mtab and various files in the proc filesystem, and possibly setuid commands might contain the same data so you should probably not store passwords there
What passwords are included there?
to access SMB/CIFS shares?
using autofs /etc/autofs.conf /etc/auto.master..
Much depends on what you have and what the need is