HPE Community
Operating System - HP-UX
1834796 Members
3274 Online
110070 Solutions
New Discussion

/etc/passwd permissions

 
Joe Robinson_2
Super Advisor

‎10-02-2001 08:33 AM

‎10-02-2001 08:33 AM

/etc/passwd permissions

What is the "proper" permission for /etc/passwd? I have it set at 444 at present; is it necessary for the group/other permissions to have read access to this file? Seems to me that it would have to in order for their logins to access the file, but, conversly I don't know that I want them to have the ability to view the file.
0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

‎10-02-2001 08:39 AM

‎10-02-2001 08:39 AM

Re: /etc/passwd permissions

It is necessary to have read permission for the users for /etc/passwd file. Otherwise, you will become "intruder alert".

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎10-02-2001 08:41 AM

‎10-02-2001 08:41 AM

Re: /etc/passwd permissions


444 is the correct permissions. Only way to stop normal users reading it is to convert to a trusted system (which removes the passwords from /etc/passwd).
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎10-02-2001 08:45 AM

‎10-02-2001 08:45 AM

Re: /etc/passwd permissions

Yes the passwd file has to be readable by EVERYONE (444).

If you are concerned about people looking at the encrypted passwd and attepmting to decrypt it, you could switch to a trusted system.

In a trusted system the /etc/passwd file contains a * in the passwd field. The actual encrypted passwords are kept in a /tcb/files/auth/ directory structure which is then readable only by root and the sys group. This is the way to go if you are security conscious.
0 Kudos
Reply
Sudalaimani
Frequent Advisor

‎10-02-2001 08:48 AM

‎10-02-2001 08:48 AM

Re: /etc/passwd permissions

hi,

Actually the /etc/passwd, will inturn call the file /bin/passwd, for which the sticky bit has been set as run the file with root previlege and have the execution permissions. Turn off the sticky bit"s" using SUID or SGID and give only the permission .. U want to give to this file...

hope this will help U ..

Mani.S
A Long Journey Starts with Single Foot Step
0 Kudos
Reply
linuxfan
Honored Contributor

‎10-02-2001 09:01 AM

‎10-02-2001 09:01 AM

Re: /etc/passwd permissions

Hi Joe,

Yes the read permissions for group/others are normally set to 444. But if you remove the read permissions for others, they can still login but id to name conversions do not happen. ll would produce the uids rather than login names. finger would say ??? for the users.

whoami would say "intruder alert" although "who am i" would work fine. So technically speaking as long as you don't care if login name doesn't show up and you aren't running scripts/programs which look for the passwd (id-name conversions) entries, i guess you are ok.

This would be an interesting thread to follow.

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎10-02-2001 09:16 AM

‎10-02-2001 09:16 AM

Re: /etc/passwd permissions

Hi
444 is the correct permission for /etc/passwd file.
For more security, consider converting to trusted system.

Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
Jeffrey S. Sims
Trusted Contributor

‎10-02-2001 03:14 PM

‎10-02-2001 03:14 PM

Re: /etc/passwd permissions

The correct permissions for /etc/passwd is 444 owned by root:sys. If you don't want the encrypted password present in the file you need to convert to a trusted system where shadow passwords are enabled. This will replace the encrypted password in the /etc/passwd file with an * and the passwords are kept in /tcb/files/auth and a subdirectory depending the the first letter of the login name.
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎10-02-2001 03:26 PM

‎10-02-2001 03:26 PM

Re: /etc/passwd permissions

Login runs as root, and can access the password
file regardless of permissions. As stated above
other services running with your privileges
will read the password and group files to convert
UIDs and GIDs to names. If you restrict access
these functions break.

More secure systems move the passwords to shadow
files readable only by root.

There are tools available that will try to crack
passwords. You and use these to check for weak
passwords. If you are concerned about security
of your passwords you should run one of these.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.