[svlug] Should my /etc/passwd really be mode 644?

Rick Moen rick at linuxmafia.com
Fri Oct 2 17:54:23 PDT 2015


Quoting Steve Litt (slitt at troubleshooters.com):

> Should my /etc/passwd really be mode 644?

Ooh, ooh!  I know this one!


Yes.





P
A
U
S
E

F
O
R

I
R
O
N
I
C

D
E
T
A
C
H
M
E
N
T
.





(I slay me.  I really do.)



> I don't want others knowing the usernames of all accounts on my
> computer. What am I missing here?

The fact that Unix was never designed for high security, and in
particular was never designed to be able to conceal the existence of
local users from other local users.

As you discovered, there have grown to be a large number of essential
system utilities that depend on being able to read some of the subfields
in the lines comprising /etc/passwd (and /etc/group).

This was pretty quickly found to be a bit of a design blunder especially
concerning passwords, even with password salting and modern hashing
methods, because any posessesor of shell privilege could read the passwd
and group file to grab the hashed password contents, and then use a
program like John the Ripper to crack them, even the password of root
and the administrative users.  Therefore in 1987, Julie Haugh wrote the
Shadow Suite that permitted moving passwords to /etc/shadow and
/etc/gshadow, along with rewrites of login, passwd, and su to dereference
passwords from (and write them to) the new files -- which you'll notice 
are root-owned and kept at 0600 permissions.  Other programs like
'whoami' that need to read _other_ subfields from /etc/passwd and
/etc/group could keep doing so.  The Shadow Suite entered production
starting with UNIX System V r.3.2 in 1988 and BSD4.3 Reno in 1990.

These days, we have the PAM layers on most Unixes (excepting, IIRC, 
OpenBSD) such that most utilities no longer read password database files
directly except for some irreducible exceptions involving system users
-- and quite possibly whomami is one of those cases.

If you were very determined to conceal your local users from each other
to the extent possible, I suppose you _could_ try moving non-system
users to one of the other auth back-ends like NIS or LDAP.  {shudder}
I'm not sure that actually buys you anything, as ISTR that local LDAP
and NIS users remain free to query the auth database about other users
-- and that sure would add a lot of complexity that would be difficult
to justify unless you have a mandate for SSO.


> Hi all,

Ta, all!

-- 
Cheers,                              Arrq uryc qrpelcgvat EBG13?  Nfx zr ubj!
Rick Moen                      
rick at linuxmafia.com
McQ! (4x80)



More information about the svlug mailing list