Ordinary users are able to read /etc/passwd, is this a security hole?

bash security root linux

Solution 1:

Actual password hashes are stored in /etc/shadow, which is not readable by regular users. /etc/passwd holds other information about user ids and shells that must be readable by all users for the system to function.

Solution 2:

Typically, the hashed passwords are stored in /etc/shadow on most Linux systems:

-rw-r----- 1 root shadow 1349 2011-07-03 03:54 /etc/shadow

(They are stored in /etc/master.passwd on BSD systems.)

Programs that need to perform authentication still need to run with root privileges:

-rwsr-xr-x 1 root root 42792 2011-02-14 14:13 /usr/bin/passwd

If you dislike the setuid root programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password -- as a result the number of setuid root programs on the system can be drastically reduced.

Solution 3:

Passwords haven't been stored in /etc/passwd for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.

Solution 4:

To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is root which is well known without the password file.

The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning getent passwd command would render the security gain void.

The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate setuid programs, that would add a huge attack vector via those programs.

In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.

Related

Accidentally deleted entire Active Directory [closed]
How to automatically restart Nginx when it goes down
Linux SSD as HDD cache
php mail() function painfully slow on local development machine
Change TeamCity IP address and port number on multi-homed Windows Server 2008 running IIS 7
What are the pros and cons of AWS Elastic Beanstalk compared with other deployment strategies?
Server vendor that allows 3rd party disks
How to track superuser activities
Verify TRIM support with BtrFS on SSD
Sanity check on 40TB server configuration
Internal DNS inside Amazon AWS VPC
Change default user folders path?