21
ls -l /etc/passwd

gives

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1862 2011-06-15 21:59 /etc/passwd

So an ordinary user can read the file. Is this a security hole?

N.N.
  • 111
  • 1
  • 1
  • 9
Ankur Agarwal
  • 457
  • 1
  • 6
  • 15

4 Answers4

51

Actual password hashes are stored in /etc/shadow, which is not readable by regular users. /etc/passwd holds other information about user ids and shells that must be readable by all users for the system to function.

Michael
  • 1,155
  • 1
  • 10
  • 16
  • 3
    Not really - historically passwords were kept in /etc/passwd - but this made brute-force matching straightforward - hence modern systems using /etc/shadon with pam_unix and similar. – symcbean Jul 04 '11 at 12:20
  • 4
    Modern *Linux* uses `/etc/shadow`. The BSDs use `/etc/master.passwd`. Solaris uses `/etc/security/passwd`. HP-UX uses `/.secure/etc/passwd` and the list goes on... – Chris S Jan 23 '13 at 15:40
16

Typically, the hashed passwords are stored in /etc/shadow on most Linux systems:

-rw-r----- 1 root shadow 1349 2011-07-03 03:54 /etc/shadow

(They are stored in /etc/master.passwd on BSD systems.)

Programs that need to perform authentication still need to run with root privileges:

-rwsr-xr-x 1 root root 42792 2011-02-14 14:13 /usr/bin/passwd

If you dislike the setuid root programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password -- as a result the number of setuid root programs on the system can be drastically reduced.

sarnold
  • 1,211
  • 7
  • 9
13

Passwords haven't been stored in /etc/passwd for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.

geekosaur
  • 7,175
  • 1
  • 20
  • 19
  • 2
    world readability is a design decision, not a necessity – Ben Voigt Jul 04 '11 at 00:11
  • @Ben: so it's reasonable that nobody can identify files that belong to someone else? It's the local store for NSS these days, *not* for PAM despite its name. – geekosaur Jul 04 '11 at 00:14
  • 1
    It's entirely possible to have a privileged service do uid -> name translation, without allowing unprivileged users to enumerate the entire user list. Some OSes choose that option. – Ben Voigt Jul 04 '11 at 00:17
  • @geekosaur, I agree with @Ben. Besides, one thing is to do uid-username mapping and another is to have the entire list of users. – joechip Jul 04 '11 at 04:10
  • 1
    @joechip Current OSes are not designed to hide users from each other. All users can be enumerated in many more ways than /etc/passwd. ls -la /home on Linux, ls -la /Users on MacOS X, dir C:\Users in windows 7, ps -afux in Unix systems. Changing the design choice Ben Voigt alluded to just makes life difficult without changing security. – Magicianeer Jul 04 '11 at 05:05
  • 1
    @Magicianeer - Just saying the Windows example isn't quite right. You can get the users through other methods, but looking at the C:\users folder will only list users that have logged in; not any system users. – Dan Jul 04 '11 at 09:18
  • Depending on the system in question, it *can* be a necessity, not merely a decision. For example, generally sftp and scp access is broken if this file is not world readable. And if you say having *those* available is a design decision... well duh. Then it's a design decision even to have your server up, and the point need not have been made. – Peter Hansen Jul 04 '11 at 11:49
  • @joechip: If you had to use a service for ID to user-name translation...well, it would be trivial to just ask it to translate all UIDs from 0 to INTMAX. – Zan Lynx Jul 04 '11 at 23:32
  • @Zan Lynx: Sure you could, but enumerating an resolving the uid mapping are still two different things. And you could impose restrictions or monitor enumeration. Still, it's mostly a theoretical distinction. – joechip Jul 05 '11 at 01:01
  • @Magicianeer: from a hacker's POV there is a certain, though small, advantage to having the username list. It's not that a big deal, for sure. But geekosaur emphasized the "must", and it invites nitpicking. – joechip Jul 05 '11 at 01:09
6

To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is root which is well known without the password file.

The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning getent passwd command would render the security gain void.

The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate setuid programs, that would add a huge attack vector via those programs.

In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.

BillThor
  • 27,737
  • 3
  • 37
  • 69