security hole on /etc/passwd

Hanry Zhou · ‎06-09-2004

By default, the permission on /etc/passwd is 444, and that would pose a securit issue if an orderary user get the encrypted password from the file, and using some type of tool to crack it.

So, I would really suggest HP to change it's permission to maybe "440".

changing the system to trusted system maybe a solution, but in many cases, users may not want to do that.

any opinion on that?

none

Robert-Jan Goossens · ‎06-09-2004

Hi,

Yes, install shadow passwd.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Hope this helps,
Robert-Jan

Tomek Gryszkiewicz · ‎06-09-2004

Not a very good idea to change the permission of passwd - is should be readable by every process.
Install some kind a shadow password (eg. change system to trusted) - there the passwords are not kept in /etc/passwd

-Tomek

Todd McDaniel_1 · ‎06-09-2004

IIRC, you cant make it 440 b/c no user would be able to login if their profile couldnt read the passwd file.

passwd file MUST be readable by all... that is an inherent weakness of UNIX. but as stated can be fixed with shadow file

OR as my company does we use 1-time password convention known as SecurID cards.

Unix, the other white meat.

Hanry Zhou · ‎06-09-2004

Tomek,

As I said already, under some circumstances, user don't want to change it to trusted systems.

What specifica problem it would cause if we change the permission to "440"?

none

Hanry Zhou · ‎06-09-2004

Todd,

I test it, and I am able to log in under "440".

none

Paul F. Carlson · ‎06-09-2004

Just out of curiosity, what are the circumstances where you wouldn't want to convert to trusted system?

Link down -- cable problem?

John Poff · ‎06-09-2004

Hi,

Now that you've changed permissions on your password file to 440, do an 'ls -l' and see if it lists your login name as owning files, or just the UID.

JP

Hanry Zhou · ‎06-09-2004

JP,

If I change it to 440, and log in as an ordenary user, I can see the file /etc/passwd is still owned by "root:sys".

Do I miss understand your question?

none

Robert-Jan Goossens · ‎06-09-2004

Hanry,

# chmod 440 /etc/passwd
# su - normal_user
# ls -la /home/normal_user
and look at the group-id of the files.

Regards,
Robert-Jan

Rodney Hills · ‎06-09-2004

If you are concerned about crackers, then implement "PAM" to validate passwords through a more secure method.

HTH

-- Rod Hills

There be dragons...

Patrick Wallek · ‎06-09-2004

If you change /etc/passwd to 440 permissions, and log in as a regular user, then ls will NOT be able to resolve UIDs to actual user names.

Here is what happens when a regular user uses 'ls -la' on their home directory with /etc/passwd permissions at 440:

[ wallekp@ftp:/home/wallekp ]
$ ls -la
total 144
drwx------ 4 102 users 8192 Sep 29 2003 .
drwxr-xr-x 12 0 root 8192 Apr 29 09:39 ..
-r--r--r-- 1 102 users 832 Nov 14 2000 .cshrc
-r--r--r-- 1 102 users 347 Nov 14 2000 .exrc
-r--r--r-- 1 102 users 334 Nov 14 2000 .login
-rw------- 1 102 users 455 May 1 2003 .profile
-rw-r--r-- 1 102 users 347 May 27 2003 .pw_profile
-rw------- 1 102 users 2192 Jun 9 10:17 .sh_history
drwx------ 2 102 users 8192 May 8 2003 .ssh
drwx------ 5 0 root 96 Sep 29 2003 .sw

You are correct in that 444 permissions is not necessarily a good idea, but neither is changing permissions to 440.

The ideal is to convert to either a trusted system, or install the shadow password bundle and use /etc/shadow for the passwords.

As far as why you would not want to convert to trusted -- There are still some application vendors that say that their application will not work with a trusted system.

John Poff · ‎06-09-2004

Try the steps that Robert-Jan described. It is an example of the simple things that will break when you make the /etc/passwd file unreadable by the rest of the world.

As mentioned previously, the best way to secure the password file is to convert to a trusted system, or at least to shadow passwords. I think you can convert to shadow passwords without converting completely to a trusted system.

JP

Patrick Wallek · ‎06-09-2004

In my ls example above, note that the 3rd column where the file owner is lists only the UID number rather than the user name.

Geoff Wild · ‎06-09-2004

You can install shadow passwords for HP-UX 11i:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Steven E. Protter · ‎06-09-2004

Going trusted or shadow will merely move the password to a shadow file or many little shadow files in the case of trusted.

That just makes it a chore to get to them.

Changing the permissions on the /etc/passwd file or the shadow file or the trusted password files without direction from HP is simply not a good idea.

I haven't seen a security bulliten on it and won't take action without HP's blessing. Its just too big to touch.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Hanry Zhou · ‎06-09-2004

Patrick W.

I test it on both 11.0 and 11.11 system, and did find the userid not being able to be transfered to the acutal name, although gid is okay.

however, on the 11.11 system, everything seems okay, userid and groupid are all alright even though I changed passwd to 440.

none

Geoff Wild · ‎06-09-2004

At 440 - can a user change their password?

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Todd McDaniel_1 · ‎06-09-2004

yes you can change pw with 440 just did it on a workstation.

Unix, the other white meat.

John Poff · ‎06-09-2004

A regular user can change their password even with the /etc/passwd file permissions set at 440, because the /usr/bin/passwd program is a setuid program which executes as the root user when you run it.

JP

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

security hole on /etc/passwd

security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd

Re: security hole on /etc/passwd