I suspect the rationale is that there is no need for everyone to be able to access the backup file, and it does contain information that might be useful to an attacker. `/etc/passwd`, on the other hand, needs to be world-readable or else many existing tools would break.
The real-world usefulness to an attacker of data in the backup file, that is not in the live file, seems pretty limited, though. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1923262 Title: backup /etc/passwd- file should be mode 0600 Status in shadow package in Ubuntu: Incomplete Bug description: CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file should be mode 0600 (or more restrictive). However, this file is 0644 after it is created when the /etc/passwd file is modified. (Ie, a hardening script that creates a hardened system for initial use could change this mode, but it will go out of compliance the next time a backup file is made.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
