[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [cobalt-security] /etc/shadow
- Subject: Re[2]: [cobalt-security] /etc/shadow
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: Wed, 6 Feb 2002 14:05:30 +0300 (MSK)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Tue, 5 Feb 2002 21:22:06 -0500 Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> On Tuesday 05 February 2002 08:06 pm, M. Dinh wrote:
> > I'm sorry for my stupidity
> > What's wrong if you have /etc/shadow set to
> > -r--------?
>
> Somebody is up to dirty tricks!!!
> it should be
> -rw-r--r--
> -rw-r--r-- 1 root root 1020 Dec 19 13:36 /etc/passwd
Don't teach people wrong things. /etc/passwd should be world-readable,
/etc/shadow should not. /etc/shadow's writability for the owner in fact
does not matter because it is only read and written by root, and root have
read/write access to all files regardless of permission flags.
> Kind of difficult to enter a new user / password if no one can write to
> the file.
Not in this case.
In some distributions, /etc/shadow has permissions 0600, but if it has
0400, there is nothing wrong. If it is readable to group or world, *this* is
very wrong because it defeats the whole purpose of shadowing the passwords.
Eugene