0

I would like to give my web server user (nginx) read access to the /etc/shadow file and I would like to confirm the steps that I am taking to do this. The system I am using is a CentOS 7.

  1. First I created a group called shadow: groupadd shadow
  2. Then I added the web server user (nginx) to the group shadow: usermod -aG shadow nginx
  3. Then I changed the owner to root and changed the file group owner to group shadow: chown root:shadow /etc/shadow
  4. Then I allowed read permissions for all users in the shadow group to read the /etc/shadow file: chmod g+r /etc/shadow

After conducting those steps I ran ls -l /etc/shadow and I see the following output

----r-----. 1 root shadow 1390 Aug 30 12:51 /etc/shadow

Are these steps that I am following correct? Please let me know, and I can provide additional information if needed.

Nebek
  • 21
  • 6

2 Answers2

3

Changing an owner group of such important file could even break some things, which is dangerous.

The proper secure way to achieve that is to use POSIX ACLs:

setfacl -m u:special_user:r /etc/shadow

Another problem here is that you gave this right to Nginx, a web server. Which, I suppose, runs some web application. And it is very bad idea to have direct access to /etc/shadow from web application.

This may seem counterproductive, but this is the way all serious systems do such things: they include private secure proxy service which does all security checks and web front end only can talk to this proxy service to have some access to sensitive data or do other sensitive things. For example, this is the way Proxmox VE is built: there is pvedaemon which does dangerous things, and pveproxy (a web server) only talks to pvedaemon when it needs to do such things.

The third problem is that you access this file at all. What you intend to do? This file is a part of PAM suite. What if some system authentication is modified so it is not using a shadow file, or it is moved? You should use PAM library calls which will do all that stuff for you.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • Thanks Nikita. I am aware of the security concerns with the /etc/shadow file. The reason why I am letting Nginx have read access to the /etc/shadow file, is that I want to be authenticated using PAM to get into a web application that I am running. This is just to verify that I have properly integrated PAM and Nginx, further down the line I will be using BoKs. – Nebek Aug 31 '21 at 17:58
  • 1
    Then there is no need to allow direct access to shadow file. The PAM exists in part for this to be unneccessary. – Nikita Kipriyanov Aug 31 '21 at 18:01
0

That looks like the output of

chmod g=r /etc/shadow

and not

chmod g+r /etc/shadow

aka. you seem to accidentally have used an equal sign instead of the addition sign.

Edit: I just double checked on my system and the permissions for my /etc/shadow file looks like this:

`----------. 1 root root 1183 20 Aug 11.53 /etc/shadow`

So it looks like your permissions are to be expected!

BitGen01100000
  • 157
  • 8
  • Interesting, I did check my history of commands that I ran and I did use the correct one, 'chmod g+r /etc/shadow'. – Nebek Aug 31 '21 at 16:01
  • @Nebek Did you see my edit? :) – BitGen01100000 Aug 31 '21 at 16:08
  • Oh sorry, just saw it thanks! – Nebek Aug 31 '21 at 16:46
  • Actually, `ls -la /etc/shadow -rw-r----- 1 root shadow 1050 Aug 28 18:14 /etc/shadow` is the default on Debian – djdomi Sep 01 '21 at 04:45
  • Please add further details to expand on your answer, such as working code or documentation citations. – Community Sep 01 '21 at 04:45
  • @djdomi I checked this on a CentOS (Version 7.7.1908) system I had running. And I haven't made any changes to this file. So unless you changed anything, it seems to be a difference between the distros. OP did however state that he/she uses CentOS, so I would recommend him/her to use the standard configuration for that distro as a base config instead of mixing and matching between different distros. :) – BitGen01100000 Sep 01 '21 at 07:19
  • @BitGen01100000 it doesnt matter, its even the same idea behind, moreover he contributor can go a headwith: [this already answered question](https://unix.stackexchange.com/questions/549464/etc-shadow-permissions-security-best-practice-000-vs-600-vs-640) – djdomi Sep 02 '21 at 04:29