/etc/passwd Security Risks & User IDs

Questions and Answers

What is the primary security risk associated with storing user information in /etc/passwd?

• It contains a list of all authorized users, making it easier to enumerate potential targets.
• The login names are case-sensitive making it easier for attackers to guess usernames.
• The user's UID is exposed, which can be used to predict future UIDs.
• The file is world-readable, potentially exposing pro-forma entries where user passwords used to be. (correct)

Which of the following describes the relationship between /etc/passwd and /etc/shadow in a modern Linux system?

• ` /etc/passwd` contains encrypted passwords, while `/etc/shadow` stores basic user information.
• `/etc/passwd` is used for local users, while `/etc/shadow` is used for remotely authenticated users.
• ` /etc/passwd` stores basic user information, while `/etc/shadow` stores encrypted passwords and access control information. (correct)
• Both files store identical user information and passwords, providing redundancy.

A system administrator notices that a user's login name in /etc/passwd starts with a number. What is the likely consequence of this?

• The system will deny login to the user.
• The system will automatically correct the username, which would lead to inconsistencies.
• The UID for the user will be automatically reset.
• This violates the convention for user naming, potentially causing compatibility issues with some tools or scripts. (correct)

An attacker gains read access to /etc/passwd. What immediate steps should a system administrator take to mitigate potential risks?

Monitor system logs for suspicious login attempts, and reinforce password complexity policies. (B)

What is the significance of a 32-bit UID (User ID) in the context of user management?

It limits the number of possible user accounts to $2^{32}$. (C)

Flashcards

User Management

The process of controlling user access and permissions within a system.

User ID (UID)

A 32-bit numerical identifier assigned to each user account.

/etc/passwd

A file containing a list of authorized users and basic account information.

Password Placeholder

A placeholder (often "x" or "*") in /etc/passwd, indicating the password is stored elsewhere.

/etc/shadow

A file containing encrypted passwords and other security-related user information, not world-readable.

Study Notes

• System security depends on account management.
• User's ID (UID) is a 32-bit number.
• /etc/passwd lists authorized users in a world-readable file.
• The /etc/passwd file contains a pro-forma entry (often "x" or "*") where the user password used to be stored.
• /etc/shadow contains encrypted passwords in a file that is not world-readable.

/etc/passwd

• Login names must be unique, lowercase, begin with a letter, and be no more than 32 characters long.
• Login names should not contain colons or newlines.
• A clever scheme is needed to avoid duplicate login names.
• The password holder is a hashed string located in /etc/shadow.
• DES was easy to crack, while MD5 had a weakness.
• Salted SHA-512 is the current standard.
• Ubuntu enforces password standards (6+ characters, complexity).
• Use system tools to add users and avoid editing the passwd file directly.

UID

• Root has a UID of 0.
• UID determines superuser status, not the account name.
• You can have an account named "bobby" with UID 0 that is a superuser, and an account named "root" with UID 1006 that is not a superuser.
• Pseudo-users like "bin" and "daemon" have low UIDs.
• Real user IDs start with 1000 or higher.
• The useradd config file specifies the range for real user IDs.
• Two accounts using the same UID are effectively the same user, which can be dangerous.
• Accounts with the same UID can kill each other's processes and read/delete each other's files.
• Do not recycle user IDs, especially after restoring backups.
• UID should be consistent across all systems in the organization.

Default GID

• Default GID is a 32-bit integer.
• GID 0 is for root, system, or wheel (on some systems).
• Group IDs are used to share file access.
• /etc/group defines groups.
• /etc/passwd provides the default GID at login.

Optional GECOS Info

• GECOS includes name, office, and number.
• GECOS is a relic from UNIX, representing General Electric Comprehensive Operating System services.
• GECOS has no well-defined syntax.
• Users can change their GECOS info with chfn.
• It's a good idea to disable chfn.

Home Directory

• The home directory is the login default.
• The home directory includes shell aliases and environmental variables.

Login Shell

• The Login shell is the command interpreter.
• The default shell in Linux is bash, while FreeBSD and others use sh.
• Sysadmins can change a user's shell in /etc/passwd.

/etc/shadow

• /etc/shadow is readable by the superuser only.
• /etc/shadow is default on all systems.
• This file contains additional information not found in /etc/passwd.
• /etc/shadow is not a superset of /etc/passwd.
• Use tools to maintain /etc/shadow and do not add users by manually editing.
• /etc/shadow contains the following fields:
• Login name is the same as in /etc/passwd.
• Encrypted password is 86 chars, SHA-512, and starts with $6$.
• Same as in previous /etc/passwd file.
• Date of last password change.
• Filled by passwd command.
• Min # days between password changes, 0 is recommended.
• Max # days between password changes.
• This number + grace period.
• Number of days in advance to warn users of password expiration.
• login will warn users.
• Days after expiration for account to be disabled (grace period).
• Account expiration date.
• Admin has to reset before user can login.
• Can use usermod to set expiration field in the format yyyy-mm-dd.
• Reserved field for future use.
• /etc/shadow requires a username and password.
• Date fields are specified in days (not seconds) since Jan 1, 1970.

Reconciling Differences Between Passwd and Shadow

• Use pwconv
• /etc/group file lists groups and their members.
• The group name is 8 characters long in most systems.
• Contains an encrypted password placeholder.
• The GID number.
• Lists members, separated with commas.
• Group membership is granted in the login file, so /etc/passwd has the last word if a user is not listed in a specific group in /etc/group.
• GID should start at 1000.
• Users can be in an unlimited number of groups.
• useradd and adduser default to putting each user in their own group.
• Linux provides groupadd, groupmod, and groupdel commands.

Changes Made by Hand

• Making changes by hand is error prone.
• User agreement and policy statement.
• Do this before creating an account.
• If doing manual changes to passwd or shadow files, use vipw,
• and vigr if making changes to group file.
• This invokes editor in your EDITOR env variable, not necessarily a vi.

Setting a Password

• Automated systems is a security risk, as usernames can be looked up in the passwd file.

Other non-root and non-user Accounts on the System

• Low-UID users are pseudo-users.
• UIDs under 10 are system accounts.
• UIDs under 100 are associated with some installed software.
• Bin and Daemon are assigned OS files and processes that do not need to be owned by root, avoiding dangers associated with root ownership.
• Advantage of pseudo-groups and pseudo-users is that they can be used more safely than the root account to provide access to resources.
• "nobody" pseudo-user is used by NSF for remote roots, mapping remote roots to this account without giving them root powers on the local system and owns no files.

Commands and Config Files for User Management

• useradd, usermod, userdel live in /etc/login.defs, /etc/default/useradd
• adduser, deluser live in /etc/adduser.conf, and /etc/deluser.conf
• useradd disables new accounts by default.
• Use $ sudo useradd -D to see all current values.

Can You Add Users in Bulk?

• Yes, but...
• newusers creates accounts from a text file with usernames similar to /etc/passwd but with passwords in clear text.
• newusers does not copy all startup files.

Safe Account Removal

• Backups should be made first.

• Use userdel or rmuser.

• Checklist to ensure everything related to an account is removed

• Remove from local db and phonelist.

• Remove mail databases.

• Remove any pending jobs.

• Kill any running processes.

• Remove user from passwd, shadow, gpasswd and gshadow files.

• Remove home dir.

• Remove mail spool.

• Find orphaned files with: sudo find filesystem –xdev -nouser

• Ubuntu's deluser is a Perl script that calls userdel and undoes everything adduser does, and lives in /etc/deluser.conf

Lockout

• Lockout is used to temporarily disable an account.
• A "*" can be put in front of the user password in shadow, OR:
• usermod –L user (puts a ! instead of * described above)
• usermod_U user (unlocks account)
• Some commands still function, such as ssh.
• Better to replace the shell with a program that prints a message and terminates the session.

Centralized Management

• Large Organizations benefit from centralized account management.
• Use LDAP (Lightweight Directory Access Protocol).
• Generalized, database-like repository that stored user management data.
• Hierarchical client-server model
• Supports multiple servers and multiple clients.
• Enforces unique UIDs and GIDs across systems.
• Gets along with Windows.
• Microsoft's Active Directory wants to be the boss in mixed systems.
• Use Linux/Unix LDAP databases as secondary servers.
• The Lightweight Directory Access Protocol is an open, vendor-neutral industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network (Wikipedia).
• Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network.
• Active Directory is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers. Active Directory is a directory services product and LDAP is a protocol that it's functions are based on.

PAM (Pluggable Authentication Modules)

• Programs often use GUI logins without passwords, using alternative methods of authentication such as biometrics, network identity systems, and two-factor authentication.
• PAM is a wrapper for different method-specific authentication libraries.
• PAM is an authentication framework
• PAM is Authentication technology, not access control technology
• It does not check what a user is authorized to do on the system.
• Admins choose methods of authentication with context.
• Programs that require authentication call the PAM system.
• PAM calls the authentication library specified by the sysadmin.
• The file /etc/pam.d/common-passwd contains password policies and the hashing algorithm to use.
• Changing the hashing algorithm does not update existing user passwords; you need to manually update passwords before the new algorithm takes effect.
• Use the command: change -d 0 username
• Password standards are set in /etc/login/defs and /etc/pam.d/common-passwd.
• Hashing algorithm identification:
• SHA512 starts with $6$, 86 chars
• SHA256 starts with $5$, 40 chars
• MD5 starts with $1$ or $md5$, 34 chars
• Blowfish $2$, 32-448 chars
• DES $xx$, where xx are 2 salt chars, 13 chars

Kerberos

• Kerberos deals with authentication, not access control and is an authentication method.
• PAM is the wrapper, and Kerberos is the implementation.
• Kerberos uses a third-party server to perform authentication for the entire network.
• Users do not authenticate themselves to a machine but provide credentials to the Kerberos service.
• Kerberos issues cryptographic credentials that users present to other services as evidence of their identity.
• Kerberos is standard in Windows and part of the MS Active Directory system.

Filesystem ACL

• Filesystem ACL is a generalization of the traditional user/group/world permission model.
• Filesystem ACL allows permissions to be set for multiple users and groups at once.

Useful Commands

• The who utility displays a list of users logged into the local system.
• Remote users logged into the local system have a machine name in parenthesis.
• To know which terminal you are on, or what time you logged in:
• Use who am i
• The finger utility displays similar info + full name + idle time + if messages are disabled (*):
• Finger can be used to get information about one specific user.
• Finger can be a security risk.
• Some systems disable Finger.
• To view system load and duration, use uptime
• w Lists users on the system
• Displays same info as above, plus a list of users currently logged in.
• Useful if you want to communicate with someone locally.
• Communicate with other users: write utility.
• Both users have to execute write username [terminal]
• To exit, press Ctrl-D.
• Messages can be blocked by typing: mesg n, or enabled by typing mesg y

Description

Explore security risks of /etc/passwd. Understand the relationship between /etc/passwd and /etc/shadow files. Learn about the consequences of a numeric username and mitigation steps after unauthorized access.