[SOLVED] /etc/passwd and /etc/shadow - changing owner and group
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
/etc/passwd and /etc/shadow - changing owner and group
Hi,
VERY new user here, but would there be any benefit from changing the /etc/shadow or /etc/passwd owner and group to a different users besides root?
I am looking at this from a security's perspective. I assumed root would be the most logical user and group to keep it as, but I have a some documentation(internal) here that asks me to change these two files owner and group. I assume this would make it less secure as it gives Root + the owner + the group access instead of just root.
Is this a homework question? Or where is it coming from? What kind of documentation is it?
I guess you can easily try if that works at all (in a VM). Theoretically you can change owner/group to a non existent account too.
You are right, it would lower security.
Further, integrity/security checkers would complain.
Further, the owner/group/permissions are in the package DB, and can be reset during an OS update.
What is the goal?
Give access to others? Then sudo is the first choice!
When I say internal documentation, I mean someone had previously documented this as a process for me to follow when setting up a new machine.
(person has since left) never spoke to him personally, way before my time.
I wanted to understand why he would chown and chgrp to a different user(in this case it was local account with UID1000, which I believe is the user who setup the machine) and then apply chmod 0644 with that user as well.
@madeinGermany - thanks for the tip, yes I read as well that some modules would also complain about the integrity of the passwd/shadow file if permissions were changed.
I might keep it standard as root, especially if its more secure.
yes, in a production environment do not do this. But in a VM you may try it, if you wish. And you will see the result. Anyway, you need to ask that person about it (or check if it was documented somewhere). It is quite unusual, there is no real reason to do that.
Welcome to LQ, NewUser0001 (last time I backwardly said: "Welcome <new username> to LQ", LoL)
Quote:
[x-employee] had previously documented this as a process for me to follow when setting up a new machine
OhMyGosh, I wonder IF they still have/had access! Or maybe they were 'making fun' of a n00b....
(1000 is generally the first added user)
Anyway, +1 #5 (infinitely better/safer to just erase the whole system)
I hope you spend some time studying Linux! Run VirtualBox.org on your PC & start with the .iso of DistroWatch.com/mll
(It is just the kernel & BusyBox.net CLI, withOUT even an /etc/passwd file! Cool!)
Best Wishes (&be careful)! Feel free to ask&tell us more....
These files are part of the so-called "shadow passwords" system. The original Unix® put lightly-encrypted "actual passwords(!)" in a file called passwd, and this became a still-supported way to obtain a list of all system users. But it was terribly insecure.
So, one way – but not the only way – to properly secure them was to put the "real" information in a "shadow" password-file that ordinary users can't get into. The original passwd file continues to exist and has the same format as before, for application compatibility, but it doesn't contain real passwords. (Likewise the groups file isn't "real" or "authoritative.")
Footnote: Linux provides a system called PAM = Pluggable Authentication Modules which allows you to, among other things, completely supersede the "passwd" system and replace it with something else. For example, many companies use LDAP, or Microsoft's "OpenDirectory®" equivalent of the same, to provide centrally-managed "single sign-on" capability across all their computers at once. And Linux is seamlessly compatible with that, by means of PAM and kernel modules.
Last edited by sundialsvcs; 12-13-2023 at 08:07 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.