[Bug 1923262] Re: backup /etc/passwd- file should be mode 0600

Alexander Scheel 1923262 at bugs.launchpad.net
Mon Apr 12 14:18:28 UTC 2021 

I largely agree but I'd like to point out a little bit of nuance. Even
on modern (e.g., 20.04) systems using shadow by default, global
read/write access to /etc/passwd{,-} _can_ (in some scenarios) still
problematic. A system will still function fine even if /etc/passwd has
000 permissions (+/- some quirks you mentioned, John, about ls and other
utilities not working and the user having no display name when logging
in to their shell).

However, you can still add non-shadowed entries into /etc/passwd{,-} and
have the resulting entries work:

loser:$6$7RrPcCmNJddmS6RK$wHog/STwlVx42Y/jrVMBol9AUHGxywkr7oa4w4gH72Tm0WpCx2nVhmmaIL5JmxJfHLf9ZaoUi/i2RRUp1t8gO.:1001:1000:user:/home/loser:/bin/bash

(with no entry in /etc/shadow -- password is 'user' before you try
cracking it ;-)


IMO, with access to the backup file, there's two risks:

 - Modification (which CIS defends against) -- if admin ever reverts a backup file corrupted by an attacker, we could hit the above scenario or:
 - Brute-force (which CIS also defends against though as you pointed out, is a bit overkill).

What do I mean by the latter? CIS benchmark has a x-day password
rotation window with some complexity arguments on quality. If
/etc/passwd has any non-shadowed entries in it (e.g., from a _really_
old system that was fully upgraded or was manually added for whatever
reason), /etc/passwd- could be a source of leaking (potentially) old
passwords for these accounts and (if they're reused across the org or
indicative of a pattern by the owner) provide an attack vector for other
systems in the organization.

Regardless... that probably isn't a threat on a well-admin'd machine. :)


CIS has also relaxed this in later versions of the guide:

https://workbench.cisecurity.org/community/1/discussions/2821
https://workbench.cisecurity.org/tickets/5218
https://workbench.cisecurity.org/benchmarks/6800/tickets/5158
&c.


This is already addressed in CIS benchmark for Ubuntu 20.04 v1.0.0.

It is also corrected in the future (unreleased) version of 18.04 guidance:
https://workbench.cisecurity.org/sections/772680/recommendations/1262266

Until such benchmark is released, we can't switch to using that
guidance.

But it is coming :)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1923262

Title:
  backup /etc/passwd- file should be mode 0600

Status in shadow package in Ubuntu:
  Incomplete

Bug description:
  CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file
  should be mode 0600 (or more restrictive).

  However, this file is 0644 after it is created when the /etc/passwd
  file is modified. (Ie, a hardening script that creates a hardened
  system for initial use could change this mode, but it will go out of
  compliance the next time a backup file is made.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions

More information about the foundations-bugs mailing list