Permissions on /etc/shadow

filespermissionsshadow

I am using Red Hat Enterprise Linux and here are the details:

uname -a
3.10.0-327.22.2.e17.x86_64

When I check permissions on the shadow file I see the following:

ls -l /etc/shadow
----------. 1 root root 1467 /etc/shadow

I am surprised to see these permissions. I would think that 'passwd' would need at least read/write permissions for the owner to update this file. Any idea what is going on here?

Best Answer

That's normal.

passwd doesn't need read/write permissions as it's got the suid bit set, runs as root.

# ls -l /etc/shadow /usr/bin/passwd
---------- 1 root root   798 Jul 21 21:15 /etc/shadow
-rwsr-xr-x 1 root root 26688 Sep 10  2015 /usr/bin/passwd
#

More info at Stackexchange "How does the 'passwd' command gain root user permissions?" if you want it.

Related Solutions

Linux – How to Make a File Not Modifiable

You can set the "immutable" attribute with most filesystems in Linux.

chattr +i foo/bar

To remove the immutable attribute, you use - instead of +:

chattr -i foo/bar

To see the current attributes for a file, you can use lsattr:

lsattr foo/bar

The chattr(1) manpage provides a description of all the available attributes. Here is the description for i:

   A  file with the `i' attribute cannot be modified: it cannot be deleted
   or renamed, no link can be created to this file  and  no  data  can  be
   written  to  the  file.  Only the superuser or a process possessing the
   CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

How to grant a user rights to change ownership of files/directories in a directory

Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN is global, once granted, it applies to any file in a local file system.

Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN is the way to go.

CAUTION CAP_CHOWN has severe security implications, a user with a shell that has capability CAP_CHOWN could get root privileges. (For instance, chown libc to yourself, patch in your Trojan Horses, chown it back and wait for a root process to pick it up.)

Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN e.g.

setcap cap_chown+ep /usr/local/bin/my_chown

CAUTION Your program will probably mimic the genuine chown, e.g. my_chownuser:group filename(s). Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.

If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown.

Best Answer

Related Solutions

Linux – How to Make a File Not Modifiable

How to grant a user rights to change ownership of files/directories in a directory

Related Question