Ordinary users are able to read /etc/passwd, is this a security hole?
Solution 1:
Actual password hashes are stored in /etc/shadow
, which is not readable by regular users. /etc/passwd
holds other information about user ids and shells that must be readable by all users for the system to function.
Solution 2:
Typically, the hashed passwords are stored in /etc/shadow
on most Linux systems:
-rw-r----- 1 root shadow 1349 2011-07-03 03:54 /etc/shadow
(They are stored in /etc/master.passwd
on BSD systems.)
Programs that need to perform authentication still need to run with root
privileges:
-rwsr-xr-x 1 root root 42792 2011-02-14 14:13 /usr/bin/passwd
If you dislike the setuid root
programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password -- as a result the number of setuid root
programs on the system can be drastically reduced.
Solution 3:
Passwords haven't been stored in /etc/passwd
for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.
Solution 4:
To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is root
which is well known without the password file.
The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning getent passwd
command would render the security gain void.
The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate setuid
programs, that would add a huge attack vector via those programs.
In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.