LinuxQuestions.org - how local user able to change password?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - how local user able to change password? (https://www.linuxquestions.org/questions/linux-security-4/how-local-user-able-to-change-password-594700/)

how local user able to change password?

I have been thinking how normal users are able to change their password. I heard the linux password file reside encrypted at the /etc/shadow file which has root permission only. then how are we able to change our password if we cannot access the shadow file?

You use the "passwd" program. It is an suid root program. If you run it as a normal user, you can only change your own password. If you run it as root, you can change anyones password. When the program edits the /etc/passwd & /etc/shadow files, it does so as the root user.

then is there no other way to view /etc/shadow by a local user?

No, not unless the privileges on the file have been set wrong, or someone made an editor or something setruid root or gained root (or group shadow) on your system.

Quote:

The Shadow Suite solves the problem by relocating the passwords to
another file (usually /etc/shadow). The /etc/shadow file is set so
that it cannot be read by just anyone. Only root will be able to read
and write to the /etc/shadow file. Some programs (like xlock) don't
need to be able to change passwords, they only need to be able to
verify them. These programs can either be run suid root or you can
set up a group shadow that is allowed read only access to the
/etc/shadow file. Then the program can be run sgid shadow.

-rw-r----- 1 root shadow 493 2007-08-19 08:36 /etc/shadow

See 'man shadow' and the stuff in /usr/doc/shadow-(version)/.