is there any reason for this directory to be readable by all? other users looking at your passwd file is a bad idea I would suspect. can I just change the permissions on /etc and everything in it to 700? or would that break other things?

Yes, that would break lots of things.

They're not harm letting any user read /etc - if you're using shadowed passwords, /etc/passwd doesn't contain the user's passwords anyway.

------------------
- Klamath
Get my GnuPG Key Here (http://klamath.dyndns.org/mykey.asc)
Looking for an open source project to contribute to? Check out the BBB (http://bbb.sourceforge.net)

[This message has been edited by klamath (edited 08 November 2000).]

Even if you don't have shadowed p/w installed, the passwords in /etc/passwd would still encrypted in such a way that you need the actual password the encrypt the encypted password (wow, confusing http://www.linuxnewbie.org/ubb/wink.gif).

As klamath said, it would break lots of things. There are many programs that doesn't run as root that read their config from /etc.

I'm pretty sure I have read though that if you go get /etc/passwd, get all the encrypted passwords, then run a dictionary attack-ish program through the same type of encryption that Linux uses to encrypt it's passwords, you can compare the results from your now encrypted dictionary attack, to the encrypted passwords from /etc/passwd, and as soon as you find a matching set of encrypted things, you can just check which word you encrypted to do that, and you're good to go.

But, I am using shadow passwords so I won't have that problem I guess. But I was just asking for the principle of the thing. http://www.linuxnewbie.org/ubb/smile.gif

------------------
Help me I'm Harvey!

Yes, you can do brute-force cracking of non-shadowed passwords. It takes a fairly long time (depending on the quality of the passwords chosen). The classic password cracking app is "crack" - but IIRC, "John The Ripper" is the latest and greatest.

------------------
- Klamath
Get my GnuPG Key Here (http://klamath.dyndns.org/mykey.asc)
Looking for an open source project to contribute to? Check out the BBB (http://bbb.sourceforge.net)

how exactly do shadowed passwords work? doesnt the login program read /etc/passwd to compare the password entered and the one stored in /etc/passwd? if not, then why have an /etc/passwd file at all?

thanks http://www.linuxnewbie.org/ubb/biggrin.gif

How do shadowed passwords work?

ok, we know that Linux stores passwords in /etc/passwd. This is "unsafe" as /etc/passwd is (and must be) readable. ANy user can view /etc/passdw's contents by simply concatenating (sp?) it.

If you do this The second field in the colon delimited file is the password field. IN the days of old this field woul have something like "zKrwW.6Fnuib9L" Scrambled well beyond any normal humans ability to unscramble. This password is actually the hashed password (DES encryption if memory serves me). The resourcefull user could then use a script armed with a dictionary, and simply encrypt common words until they match the encrypted form.

Todays distro's use shadowed passwords. what this does is it puts a placeholder in the password field of /etc/passwd and stores the actual encrypted password in /etc/passwd.

So now when a program needs to auth some one, you can verify an account from /etc/passwd, and when the password needs verification the shadow password suite will check the /etc/shadow file.

If you want a more in-depth explination you would probably have to scour the internet for shadowed passwords documents.

------------------
[X] YES! I'm a brain-damaged lemur on crack, and I'd like to order your software package for $459.95!

Shadow passwords aren't safe either. As far back as 1996 (or was it 1995?), there have been programs, scripts, ways to get the shadowed passwords into a password file so that the dictionary lookup method would work.

You would also be AMAZED at the insane amounts of dictionaries that are out there. One group (3rd Rock from the Sun maybe? Don't remember - it was a LOOOOONG time ago) actually went through a bunch of sci-fi/fantasy novels (some really obscure stuff too) and grabbed all the names of the characters/towns/etc. It was an impressive effort. There is also a 58(?)meg dictionary file floating around. It was called all-words or something if you want to search for it.

In short, just shadowing your passwords isn't enough. Keep people you don't trust off your system. If people pay you for access, set up a way to keep an eye on the important files.

Oh, and DON'T change the perms on /etc http://www.linuxnewbie.org/ubb/tongue.gif

I was under the impression that only root can read the shadowed passwords. The critical userspace apps (like login or passwd) are setUID root, so they have access (but only to do very specific things).

------------------
- Klamath
Get my GnuPG Key Here (http://klamath.dyndns.org/mykey.asc)
Looking for an open source project to contribute to? Check out the BBB (http://bbb.sourceforge.net)

root is the only one who can access /etc/shadow If someone else can, then that means they've already found a way to run as root. Which means you'd have bigger problems other than worrying about who's cracking the passwd/shadow file. In any case, it's good practice to change your passwords periodically to ensure that cracked passwords "expire".

We could get into a really long discussion about password security, and stuff but It should sufice to say, use your best judgement.

If you are on a home system that your family uses, and they are not computer oriented, then password rules such as must be at least 8 characters long, include both upper and lowercase characters and a digit, and it expires in 20 days. I know my mother would never allow me to eat dinner at her place again if I did this to her computer. In a corporation with sensitive data on public servers this would be acceptable (even if only marginaly).

Password security is largly a trade off between good passwords and passwords folks can remember with out writing them down and posting it on the terminal.

Again use your best judgement for passwords. If you suspect someone has hacked your box, change the root login password, and check your logs.

------------------
[X] YES! I'm a brain-damaged lemur on crack, and I'd like to order your software package for $459.95!

Posted by Harvey:
or would that break other things?


I haven't tried it in the field, but I think if you make /etc/passwd unreadable programs like ls just show your uid.