Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In the interest of security is there any reason to make /etc/passwd and /etc/group 0400?
I would think some applications need to be able to map uid to username (ls -l). After making this change ls -l still works so does "groups" and "id -ap user".
Since the name service caches passwd and group on startup, makeing them fully available to users, do we gain anything from makeing them 0400?
Distribution: Red Hat 6.1,7.2,7.3 Mandrake 8.1,8.2
Posts: 48
Rep:
I'm not sure what you mean by ls -l, But yes it is standard parctice that the passwd, shadow, and group files have the 400 permissions set. Commands such as "passwd" that could possibly be run by a non-priviledged user have a SUID on them which will temporarily grant access to the files in order to make any modifications.
Originally posted by def1014 I'm not sure what you mean by ls -l,
The inodes have the UID and GID of a file. In order for ls -l to list usernames and group names it needs to access /etc/passwd (or a cached version of it, which is what it does).
If applications can call on the cached version of passwd and group then what is the benifit of making them 0400? It might make the admins life more difficult though.
Distribution: Red Hat 6.1,7.2,7.3 Mandrake 8.1,8.2
Posts: 48
Rep:
Yes, the inodes do contain UID and GID information of the file, but I'm not sure that these usernames and groups are cached at boot. I was under the impression these names were gotten as stated in the nsswitch.conf. What I was trying to explain is that when you have commands that have the SUID set on them, they are run as root...even by regular users. Not sure if ls is one of these commands. I don't know of anywhere else where you would be able to get the list of users on a system other than these files. Could you give me a scenario where you would need to give more rights to these particular files. Why would anyone else other than root need to read or write to them? It is a standard security precaution. If you need to give other people certain rights, I would look into something like sudo.
You'll break many things if normal users are not able to read /etc/passwd and /etc/group. Luckily Solaris does put the actual passwords in /etc/shadow which is 0400.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
/etc/passwd security
