Linux Security Fundamentals

Shadow Passwords

A common feature in modern Unix systems is shadow passwords. Traditionally, Unix passwords were stored in the /etc/passwd file, encrypted with the Unix crypt() function. This function quickly became the source of many exploits as in order for it to operate, it required the /etc/passwd file be readable by all users. Since all users could read the encrypted version of the password, bruit force attacks were easy to accomplish. Enabling shadow passwords protects user passwords by storing them separately from the user account itself. In this configuration all passwords are stored in the /etc/shadow file, which is only readable by root.

To determine if your system is using shadow passwords, list the contents of the /etc/passwd file. If you see an ‘x’ in the second position, then shadow passwords have been turned on. A string of data in the second position means they are not. To enable shadow passwords type [pwconv]. To disable them type [pwunconv].

Managing Passwords

In addition to a more secure configuration, shadow passwords allow additional password properties to be stored and managed. These properties can be used to maintain information on password age, history, and expiration. Password management is accomplished using the [chage] command. The following options are valid for use with the chage command.

-m: Minimum age for a password.

-M: Maximum age for a password.

-W: Number of days subtracted from –M that a user will receive a warning that their password is about to expire.

-d: Date the password was last changed, useful for forcing password changes, or for expiring passwords.

-l: Display current password age settings.

You can combine any of these options to configure the password in a single command.

Understanding File Permissions

Linux file permissions are very simplified when compared to the access control lists of Windows and Novell. When accessing a file, you access from one of only three possible perspectives. You are the owner of the file, you are a member of the group that owns the file, or you are neither. These permissions are respectively (U)ser permissions, (G)roup permissions and (O)ther permissions.

You will recall from the last article that each file is owned by a user and by a group. When a user is created, that user is made a member of a primary group. That group membership is stored as part of the user’s account record in the /etc/passwd file. Unless otherwise specified, when the user account is created, a group with the same name as the user is created and the user is made a member of that group. Whenever a user creates a file, the ownership is set using the UID and GID from the record in /etc/passwd for the user that created the file.

Permissions on a file consist of 9 bits. These 9 bits are 3 groups of 3 bits. The 3 permission bits are (R)ead, (W)rite and E(x)ecute.
Consider the following examples;

-rwxrwxrwd: Everyone can do anything with this file.

-rw-r—–: The owner can read and write to the file, members of the files owning group can read the file; no one else has access to the file.

drwx——: The owner can modify the contents of the directory, and get a listing of the directory; no on else has access to the directory

-rw-rw-rw-: This is a public file that allows anyone to access and change it.

drwxrwxrwx: This is a public directory that allows anyone to add to and delete from it.