/etc/passwd
is sometimes called the user database. That should give us a clue as to why it needs to be readable by everyone. Any utility that inspects file metadata needs to be able to read /etc/passwd
(and /etc/group
) in order to be able to resolve the numerical IDs used by the kernel and its subsystems to the human-friendly names that we rely on. Tools that need to find your home directory (mail delivery agents, etc) look that information up in /etc/passwd
, and inet
miniservers like fingerd
look up your details in /etc/passwd
.
As has been pointed out elsewhere, there is no particularly sensitive data in the file, as modern systems put the password hashes in a shadow password file, which is readable only by root.
netstat
There's a process there, your userid just isn't privy to seeing what it is. This is a layer of protection provided by lsof
that's keeping you from seeing this. Simply re-run the command but prefix it using the sudo
command instead.
$ sudo netstat -antlp | grep 45136
There's even a warning about this in the output of lsof
at the top.
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
Example
$ netstat -antlp | grep 0:111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
$ sudo netstat -antlp | grep 0:111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1248/rpcbind
ss
If you're not having any luck with netstat
perhaps ss
will do. You'll still need to use sudo
, and the output can be a little bit more cryptic.
Example
$ ss -apn|grep :111
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
$ sudo ss -apn|grep :111
LISTEN 0 128 :::111 :::* users:(("rpcbind",1248,11))
LISTEN 0 128 *:111 *:* users:(("rpcbind",1248,8))
Process ID still not there?
There are instances where there simply isn't a PID associated to the TCP port in use. You can read about NFS, in @derobert's answer, which is one of them. There are others. I have instances where I'm using ssh tunnels to connect back to services such as IMAP. These are showing up without a process ID too.
In any case you can use a more verbose form of netstat
which might shed additional light on what process is ultimately using a TCP port.
$ netstat --program --numeric-hosts --numeric-ports --extend
Example
$ netstat --program --numeric-hosts --numeric-ports --extend |grep -- '-' | head -10
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 192.168.1.103:936 192.168.1.3:60526 ESTABLISHED root 160024310 -
tcp 0 0 192.168.1.1:2049 192.168.1.3:841 ESTABLISHED sam 159941218 -
tcp 0 0 127.0.0.1:143 127.0.0.1:57443 ESTABLISHED dovecot 152567794 13093/imap-login
tcp 0 0 192.168.1.103:739 192.168.1.3:2049 ESTABLISHED root 160023970 -
tcp 0 0 192.168.1.103:34013 192.168.1.3:111 TIME_WAIT root 0 -
tcp 0 0 127.0.0.1:46110 127.0.0.1:783 TIME_WAIT root 0 -
tcp 0 0 192.168.1.102:54891 107.14.166.17:110 TIME_WAIT root 0 -
tcp 0 0 127.0.0.1:25 127.0.0.1:36565 TIME_WAIT root 0 -
tcp 0 0 192.168.1.1:2049 192.168.1.6:798 ESTABLISHED tammy 152555007 -
If you notice the output includes INODES so we could back track into the process using this info.
$ find -inum 152555007
Which will show you a file which might lead you to a process.
References
Best Answer
You can read the source code; speaking of... I did it for you; it looks like it's from the
ProcessInfo.cpp
file. It's getting the usernames. Not only that/etc/passwd
isn't a concern for you, anyone can read it. You might be worried though if it was trying to read/etc/shadow
.