[Bug 1923262] Re: backup /etc/passwd- file should be mode 0600
pkaeding
1923262 at bugs.launchpad.net
Fri Apr 9 23:45:13 UTC 2021
I agree, it was surprising to me as well. The rationale given is just
this:
```
It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.
```
If you are interested, you can download the guide at
http://workbench.cisecurity.org (I don't recall the specific terms I
clicked through when I downloaded it, but I don't think I'm allowed to
post it here, even though anyone can download it directly for $0)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1923262
Title:
backup /etc/passwd- file should be mode 0600
Status in shadow package in Ubuntu:
Incomplete
Bug description:
CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file
should be mode 0600 (or more restrictive).
However, this file is 0644 after it is created when the /etc/passwd
file is modified. (Ie, a hardening script that creates a hardened
system for initial use could change this mode, but it will go out of
compliance the next time a backup file is made.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions
More information about the foundations-bugs
mailing list