Ordinary users are able to read /etc/passwd, is this a security hole?
Solution 1
Actual password hashes are stored in /etc/shadow
, which is not readable by regular users. /etc/passwd
holds other information about user ids and shells that must be readable by all users for the system to function.
Solution 2
Typically, the hashed passwords are stored in /etc/shadow
on most Linux systems:
-rw-r----- 1 root shadow 1349 2011-07-03 03:54 /etc/shadow
(They are stored in /etc/master.passwd
on BSD systems.)
Programs that need to perform authentication still need to run with root
privileges:
-rwsr-xr-x 1 root root 42792 2011-02-14 14:13 /usr/bin/passwd
If you dislike the setuid root
programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password -- as a result the number of setuid root
programs on the system can be drastically reduced.
Solution 3
Passwords haven't been stored in /etc/passwd
for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.
Solution 4
To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is root
which is well known without the password file.
The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning getent passwd
command would render the security gain void.
The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate setuid
programs, that would add a huge attack vector via those programs.
In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.
Related videos on Youtube
Ankur Agarwal
Updated on September 18, 2022Comments
-
Ankur Agarwal over 1 year
ls -l /etc/passwd
gives
$ ls -l /etc/passwd -rw-r--r-- 1 root root 1862 2011-06-15 21:59 /etc/passwd
So an ordinary user can read the file. Is this a security hole?
-
Ben Voigt almost 13 yearsworld readability is a design decision, not a necessity
-
geekosaur almost 13 years@Ben: so it's reasonable that nobody can identify files that belong to someone else? It's the local store for NSS these days, not for PAM despite its name.
-
joechip almost 13 years@geekosaur, I agree with @Ben. Besides, one thing is to do uid-username mapping and another is to have the entire list of users.
-
Dan almost 13 years@Magicianeer - Just saying the Windows example isn't quite right. You can get the users through other methods, but looking at the C:\users folder will only list users that have logged in; not any system users.
-
Peter Hansen almost 13 yearsDepending on the system in question, it can be a necessity, not merely a decision. For example, generally sftp and scp access is broken if this file is not world readable. And if you say having those available is a design decision... well duh. Then it's a design decision even to have your server up, and the point need not have been made.
-
symcbean almost 13 yearsNot really - historically passwords were kept in /etc/passwd - but this made brute-force matching straightforward - hence modern systems using /etc/shadon with pam_unix and similar.
-
Zan Lynx almost 13 years@joechip: If you had to use a service for ID to user-name translation...well, it would be trivial to just ask it to translate all UIDs from 0 to INTMAX.
-
joechip almost 13 years@Zan Lynx: Sure you could, but enumerating an resolving the uid mapping are still two different things. And you could impose restrictions or monitor enumeration. Still, it's mostly a theoretical distinction.
-
joechip almost 13 years@Magicianeer: from a hacker's POV there is a certain, though small, advantage to having the username list. It's not that a big deal, for sure. But geekosaur emphasized the "must", and it invites nitpicking.
-
Philip over 11 yearsModern Linux uses
/etc/shadow
. The BSDs use/etc/master.passwd
. Solaris uses/etc/security/passwd
. HP-UX uses/.secure/etc/passwd
and the list goes on...