Operating System - HP-UX
1745865 Members
4445 Online
108723 Solutions
New Discussion

How do I explain this to an auditor?

 
SOLVED
Go to solution
Vince Laurent
Respected Contributor

How do I explain this to an auditor?

"When we review the file permission of /etc/passwd (-r--r--r--), /etc/shadow (-r---------), it seemed even the owner root cannot change the files. Just wonder how can user password be periodically changed per password policy, if no change of these files are allowed?"

 

I never really thought about it and figured the system just managed it some how via the policies.  Is there a doc explaining this automagic process?

3 REPLIES 3
Patrick Wallek
Honored Contributor
Solution

Re: How do I explain this to an auditor?

Regardless of file permissions, the root user ALWAYS has the ability to change a file.

 

If the owner of the file were a user other than root, then the file owner would NOT be able to change a file.

 

For example:

 

touch abc123
# ll abc123
-rw-r--r-- 1 root sys 0 Jan 6 17:04 abc123

 

# echo "more text" > abc123

 

# ll abc123
-r--r--r-- 1 root sys 10 Jan 6 17:05 abc123

 

# chown pwallek abc123

# ll abc123
-r--r--r-- 1 pwallek sys 10 Jan 6 17:05 abc123

 

# echo "more text" >> abc123

 

# ll abc123
-r--r--r-- 1 pwallek sys 20 Jan 6 17:07 abc123

 

Notice that root can still change the file, even though it is owned by 'pwallek'.

 

# su - pwallek

 

$ ll abc123
-r--r--r-- 1 pwallek sys 20 Jan 6 17:07 abc123

$ echo "more text pwallek" >> abc123
su: abc123: Cannot create the specified file.

 

Even though I logged in as pwallek I still can't change the file I own because it is read-only.

 

root, or more accurately ANY user with a UID of 0, is a special case in UNIX.  They ALWAYS have permission, no matter what.  If you use 'vi' to edit a read-only file as root, you can force it to save the file by doing a 'w!' (write - force).  That is the only time that works though.

 

<SOAP BOX>

The bigger issue here is not your ability to explain to the auditor why this works, it is the auditors lack of understanding of basic UNIX principles.  The auditor should NOT have to ask a question like that.  Anyone with a basic amount of UNIX sys admin knowledge should already know why.

 

I have never understood how an auditor can effectively audit systems when he/she lack even a basic understanding of the underlying OS.  I don't care what the OS is.

 

I actually pissed off an auditor one time a few years ago by asking that very question.  He wasn't very happy with me, and I didn't care!

<OFF SOAP  BOX>

Patrick Wallek
Honored Contributor

Re: How do I explain this to an auditor?

This is an interesting post regarding the 'root' user in UNIX/LINUX:

 

http://www.linfo.org/root.html

 

 And here is an good book excerpt regarding root/UID 0:

 

http://docstore.mik.ua/orelly/networking/puis/ch04_02.htm

 

 Note this phrase in the above link:

Filesystem Control:

Read, modify, or delete any file or program on the system

 

<Edited by PW>

Dennis Handly
Acclaimed Contributor

Re: How do I explain this to an auditor?

>Just wonder how can user password be periodically changed per password policy, if no change of these files are allowed?"

 

I'm curious why an auditor would care about stricter permissions.  :-)

 

Also, if you use NIS, you don't change the passwd(4) file on the client systems.

 

>root is a special case in UNIX.  They ALWAYS have permission, no matter what.

 

If under NFS, there may be another special case.  If the export defaults to root-is-less-than-dirt, (nobody) he won't be able to write.

Nor will root be able to write to a read only filesystem.  :-)