[Bug 1923262] Re: backup /etc/passwd- file should be mode 0600
John Johansen
1923262 at bugs.launchpad.net
Sat Apr 10 00:22:04 UTC 2021
The cisecurity guide is wrong. While there is info that could be
leveraged, but on a modern system the really sensitive information is
split out into /etc/shadow (which very much should be only readable by
root). The reality is that on a modern system /etc/passwd needs to be
world readable (it is the local user db) for several applications that
users can and do use (eg. ls being able to display who owns a file).
If /etc/passwd is world readable, there is no point in changing the
permissions on the backup file.
If you don't want /etc/passwd be available to all applications/users.
You can use a MAC system to further restrict access to /etc/passwd and
its backup file.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1923262
Title:
backup /etc/passwd- file should be mode 0600
Status in shadow package in Ubuntu:
Incomplete
Bug description:
CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file
should be mode 0600 (or more restrictive).
However, this file is 0644 after it is created when the /etc/passwd
file is modified. (Ie, a hardening script that creates a hardened
system for initial use could change this mode, but it will go out of
compliance the next time a backup file is made.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions
More information about the foundations-bugs
mailing list