Hi,

VERY new user here, but would there be any benefit from changing the /etc/shadow or /etc/passwd owner and group to a different users besides root?

I am looking at this from a security's perspective. I assumed root would be the most logical user and group to keep it as, but I have a some documentation(internal) here that asks me to change these two files owner and group. I assume this would make it less secure as it gives Root + the owner + the group access instead of just root.

Appreciate any assistance or advice here!

Is this a homework question? Or where is it coming from? What kind of documentation is it?
I guess you can easily try if that works at all (in a VM). Theoretically you can change owner/group to a non existent account too.

You are right, it would lower security.
Further, integrity/security checkers would complain.
Further, the owner/group/permissions are in the package DB, and can be reset during an OS update.

What is the goal?
Give access to others? Then sudo is the first choice!

Appreciate the responses guys,

When I say internal documentation, I mean someone had previously documented this as a process for me to follow when setting up a new machine.
(person has since left) never spoke to him personally, way before my time.

I wanted to understand why he would chown and chgrp to a different user(in this case it was local account with UID1000, which I believe is the user who setup the machine) and then apply chmod 0644 with that user as well.

@madeinGermany - thanks for the tip, yes I read as well that some modules would also complain about the integrity of the passwd/shadow file if permissions were changed.

I might keep it standard as root, especially if its more secure.

Do Not(!) Do This!

Period.

1 members found this post helpful.

Roger that, thanks LEGENDS.

yes, in a production environment do not do this. But in a VM you may try it, if you wish. And you will see the result. Anyway, you need to ask that person about it (or check if it was documented somewhere). It is quite unusual, there is no real reason to do that.

Welcome to LQ, NewUser0001 (last time I backwardly said: "Welcome <new username> to LQ", LoL)

OhMyGosh, I wonder IF they still have/had access! Or maybe they were 'making fun' of a n00b....
(1000 is generally the first added user)

Anyway, +1 #5 (infinitely better/safer to just erase the whole system)

I hope you spend some time studying Linux! Run VirtualBox.org on your PC & start with the .iso of DistroWatch.com/mll
(It is just the kernel & BusyBox.net CLI, withOUT even an /etc/passwd file! Cool!)

Best Wishes (&be careful)! Feel free to ask&tell us more....

Explanation:

These files are part of the so-called "shadow passwords" system. The original Unix® put lightly-encrypted "actual passwords(!)" in a file called passwd, and this became a still-supported way to obtain a list of all system users. But it was terribly insecure.

So, one way – but not the only way – to properly secure them was to put the "real" information in a "shadow" password-file that ordinary users can't get into. The original passwd file continues to exist and has the same format as before, for application compatibility, but it doesn't contain real passwords. (Likewise the groups file isn't "real" or "authoritative.")

Footnote: Linux provides a system called PAM = Pluggable Authentication Modules which allows you to, among other things, completely supersede the "passwd" system and replace it with something else. For example, many companies use LDAP, or Microsoft's "OpenDirectory®" equivalent of the same, to provide centrally-managed "single sign-on" capability across all their computers at once. And Linux is seamlessly compatible with that, by means of PAM and kernel modules.