I largely agree but I'd like to point out a little bit of nuance. Even
on modern (e.g., 20.04) systems using shadow by default, global
read/write access to /etc/passwd{,-} _can_ (in some scenarios) still
problematic. A system will still function fine even if /etc/passwd has
000 permissions (+/- some quirks you mentioned, John, about ls and other
utilities not working and the user having no display name when logging
in to their shell).
However, you can still add non-shadowed entries into /etc/passwd{,-} and
have the resulting entries work:
loser:$6$7RrPcCmNJddmS6RK$wHog/STwlVx42Y/jrVMBol9AUHGxywkr7oa4w4gH72Tm0WpCx2nVhmmaIL5JmxJfHLf9ZaoUi/i2RRUp1t8gO.:1001:1000:user:/home/loser:/bin/bash
(with no entry in /etc/shadow -- password is 'user' before you try
cracking it ;-)
IMO, with access to the backup file, there's two risks:
- Modification (which CIS defends against) -- if admin ever reverts a backup
file corrupted by an attacker, we could hit the above scenario or:
- Brute-force (which CIS also defends against though as you pointed out, is a
bit overkill).
What do I mean by the latter? CIS benchmark has a x-day password
rotation window with some complexity arguments on quality. If
/etc/passwd has any non-shadowed entries in it (e.g., from a _really_
old system that was fully upgraded or was manually added for whatever
reason), /etc/passwd- could be a source of leaking (potentially) old
passwords for these accounts and (if they're reused across the org or
indicative of a pattern by the owner) provide an attack vector for other
systems in the organization.
Regardless... that probably isn't a threat on a well-admin'd machine. :)
CIS has also relaxed this in later versions of the guide:
https://workbench.cisecurity.org/community/1/discussions/2821
https://workbench.cisecurity.org/tickets/5218
https://workbench.cisecurity.org/benchmarks/6800/tickets/5158
&c.
This is already addressed in CIS benchmark for Ubuntu 20.04 v1.0.0.
It is also corrected in the future (unreleased) version of 18.04 guidance:
https://workbench.cisecurity.org/sections/772680/recommendations/1262266
Until such benchmark is released, we can't switch to using that
guidance.
But it is coming :)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1923262
Title:
backup /etc/passwd- file should be mode 0600
Status in shadow package in Ubuntu:
Incomplete
Bug description:
CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file
should be mode 0600 (or more restrictive).
However, this file is 0644 after it is created when the /etc/passwd
file is modified. (Ie, a hardening script that creates a hardened
system for initial use could change this mode, but it will go out of
compliance the next time a backup file is made.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
