Rename /etc/passwd and /etc/shadow for security reasons [closed]

security passwd

The Filesystem Hierarchy Standard for unix-like systems includes /etc/passwd at a fixed location, and tools are consequently usually hardcoded to look there for it. While in theory you could re-compile all the relevant utilities to look in a new location, any attacker could always just look for strings in those binaries to locate the new file, or use regular expressions to find files with passwd-like contents.

The shadow file should be readable only to root (and possibly to a group called shadow). If an attacker has managed to get root access to your system, they have complete control and whether or not they can read your passwd/shadow files is pretty irrelevant at that point.

There are conceivably a few situations where having files not in expected places might help, eg if you have a badly-configured web server which lets someone request http://myserver/../../etc/passwd, but in general this sort of indirection will require a lot of work for a minimal security benefit.


The best thing that would be is "completely useless" as you put it. (It doesn't provide an additional hurdle for an intruder)

/etc/passwd does contain account names, but anybody who has shell access to the system will be able to find them.

/etc/shadow contains sensitive information (the password hashes) but it is readable for root only. If an intruder managed to get root privileges - well how do you spell disaster?


In modern Unices (and Unix-likes, including Ubuntu), /etc/passwd doesn't contain any secrets. Renaming it would be more trouble than it is worth, given how many utilities would have to be rebuilt to look for it in its new location.

/etc/shadow is another matter, since there are secrets in that file, but renaming it won't help. It's only readable by root, so even if a hacker gets into the system as some other user, that's not enough to get to the file. This is why passwords were taken out of /etc/passwd in the first place: everyone needs to be able to read /etc/passwd, but only root needs to be able to get at the actual passwords, so the passwords were moved to a file that only root could read.

If the hacker does get root, then a rename won't save you. A simple recursive grep could give the hacker a list of files in an /etc/shadow-like format, and then the hacker only has to look through them to find the data he wants. You've delayed him by a few hours at most, and probably less: again, not worth the amount of time it would take to modify and recompile all the utilities that depend on /etc/shadow's location.


You cannot just rename these files. A lot of processes and programs will search for them, since this is a standard in Linux systems. What you can do is to securize your server in the proper way.


While it's probably no use to rename the /etc/passwd and /etc/shadow files, if you want added security you might want to look at PAM (pluggable authentication modules) and NSS (Name Service Switch). Like here.

PAM can be used to add authentication modules that, instead reading their authentication ifnormation from the standard files, read it from an other source, like from ldap or a database. Using it would mean the /etc/shadow can be almost completley eliminated.

NSS complements PAM by making some of the name resolution (like which groups does this user belongs to) independent from the standard files (/etc/passwd, /etc/groups). Using it would mean your passwd file will potentially only contain a fallback option for root, and nothing more. Using SSH keys to validate root login would also eliminate the need to have a root password inside the shadow file (although it might be desired if the SSH connection breaks).

Alternatively if you don't want to authenticate your users via a separate database or ldap host, you can also create your own PAM and NSS modules, which read their data from a non-standard file, although I wouldn't recommend this option.

When you want to try to use them never forget to keep some kind of fallback to a known, working authentication layer, otherwise you can lock yourself out of the system, even with root.

Note that not all applications support PAM (a lot of them do however). NSS however can be used to implement authentication for apps that don't support PAM, and some sites I've read about NSS actually suggest this approach. This however means that the NSS module will supply the (potentially) hashed password to anyone who can access the NSS authentication layer, which is almost always something you want to avoid (it's basically the same as giving non-root read access to the shadow file)! So if you're going this approach always make sure that NSS is only used to provide the user with the basic data (like the contents of /etc/passwd), and PAM is used as the authentication layer.

Related

Show 1 to N on the terminal
Why is there no Recycle Bin?
Why qemu-system-x86 takes 100% of my CPU?
How to Live Streaming on YouTube?
Default mount options on auto-mounted NTFS partitions (how to add `noexec` and `fmask=0111`?) [closed]
Chmod error changing permission read only file system
How to correctly remove a PPA source? [duplicate]
Connect to a Microsoft Exchange 5.5 server using Evolution
How do I turn off mouse acceleration? [duplicate]
Compiz slow under proprietary nvidia driver [closed]
How can I automatically remove duplicate sources.list entries? [duplicate]
Is it possible to remove shadows behind windows and menus? [duplicate]