I largely agree but I'd like to point out a little bit of nuance. Even
on modern (e.g., 20.04) systems using shadow by default, global
read/write access to /etc/passwd{,-} _can_ (in some scenarios) still
problematic. A system will still function fine even if /etc/passwd has
000 permissions (+/- some quirks you mentioned, John, about ls and other
utilities not working and the user having no display name when logging
in to their shell).
However, you can still add non-shadowed entries into /etc/passwd{,-} and
have the resulting entries work:
loser:$6$7RrPcCmNJddmS6RK$wHog/STwlVx42Y/jrVMBol9AUHGxywkr7oa4w4gH72Tm0WpCx2nVhmmaIL5JmxJfHLf9ZaoUi/i2RRUp1t8gO.:1001:1000:user:/home/loser:/bin/bash
(with no entry in /etc/shadow -- password is 'user' before you try
cracking it ;-)
IMO, with access to the backup file, there's two risks:
- Modification (which CIS defends against) -- if admin ever reverts a backup
file corrupted by an attacker, we could hit the above scenario or:
- Brute-force (which CIS also defends against though as you pointed out, is a
bit overkill).
What do I mean by the latter? CIS benchmark has a x-day password
rotation window with some complexity arguments on quality. If
/etc/passwd has any non-shadowed entries in it (e.g., from a _really_
old system that was fully upgraded or was manually added for whatever
reason), /etc/passwd- could be a source of leaking (potentially) old
passwords for these accounts and (if they're reused across the org or
indicative of a pattern by the owner) provide an attack vector for other
systems in the organization.
Regardless... that probably isn't a threat on a well-admin'd machine. :)
CIS has also relaxed this in later versions of the guide:
https://workbench.cisecurity.org/community/1/discussions/2821
https://workbench.cisecurity.org/tickets/5218
https://workbench.cisecurity.org/benchmarks/6800/tickets/5158
&c.
This is already addressed in CIS benchmark for Ubuntu 20.04 v1.0.0.
It is also corrected in the future (unreleased) version of 18.04 guidance:
https://workbench.cisecurity.org/sections/772680/recommendations/1262266
Until such benchmark is released, we can't switch to using that
guidance.
But it is coming :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1923262
Title:
backup /etc/passwd- file should be mode 0600
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
